Academy Module6 Web

Academy of ICT Essentials for Government Leaders

Module 6

Information Security and Privacy

Korea Internet & Security Agency

ASIAN AND PACFIC TRAINING CENTRE FOR INFORMATION AND COMMUNICATION TECHNOLOGY FOR DEVELOPMENT

The Academy of ICT Essentials for Government Leaders Module Series

Module 6: Information Security and Privacy

This work is released under the Creative Commons Attribution 3.0 License. To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/.

The opinions, figures and estimates set forth in this publication are the responsibility of the authors, and should not necessarily be considered as reflecting the views or carrying the endorsement of the United Nations.

The designations used and the presentation of the material in this publication do not imply the expression of any opinion whatsoever on the part of the Secretariat of the United Nations concerning the legal status of any country, territory, city or area, or of its authorities, or concerning the delimitation of its frontiers or boundaries.

Mention of firm names and commercial products does not imply the endorsement of the United Nations.

Contact: United Nations Asian and Pacific Training Centre for Informationand Communication Technology for Development (UN-APCICT/ESCAP)Bonbudong, 3rd Floor Songdo Techno Park7-50 Songdo-dong, Yeonsu-gu, Incheon CityRepublic of Korea

Tel: 82 32 245 1700-02Fax: 82 32 245 7712E-mail: [email protected]://www.unapcict.org

Copyright © UN-APCICT/ESCAP 2011 (Second Edition)

ISBN: (to be added)

Design and Layout: Scand-Media Corp., Ltd. Printed in: Republic of Korea

Module 6 Information Security and Privacy 3

FOREWORD

The world we live in today is inter-connected and fast-changing, largely due to the rapid development of information and communication technologies (ICTs). As the World Economic Forum fittingly states, ICTs represent our “collective nerve system”, impacting and connecting every fabric of our lives through intelligent, adaptive and innovative solutions. Indeed, ICTs are tools that can help solve some of our economic, social and environmental challenges, and promote more inclusive and sustainable development.

The increased access to information and knowledge through development of ICT has the potential to significantly improve the livelihoods of the poor and marginalized, and promote gender equality. ICTs can serve as a bridge connecting people from different countries and sectors in the region and beyond by providing more efficient, transparent and reliable means and platforms for communication and cooperation. ICTs are essential to the connectivity that facilitates more efficient exchange of goods and services. Success stories from Asia and the Pacific region abound: e-government initiatives are improving access to and quality of public services, mobile phones are generating incomes and professional opportunities for women, and the voices of the vulnerable are louder than ever through the power of social media.

Yet, the digital divide in Asia and the Pacific is still seen to be one of the widest in the world. This is evidenced by the fact that the countries of the region are placed across the whole spectrum of the global ICT Development Index ranking. Despite the impressive technological breakthroughs and commitments of many key players in the region, access to basic communication is still not assured for all.

In order to complete the bridging of the digital divide, policymakers must be committed to further realizing the potential of ICTs for inclusive socio-economic development in the region. Towards this end, the Asian and Pacific Training Centre for Information and Communication Technology for Development (APCICT) was established as a regional institute of the United Nations Economic and Social Commission for Asia and the Pacific (UN/ESCAP) on 16 June 2006 with the mandate to strengthen the efforts of the 62 ESCAP member and associate member countries to use ICT in their socio-economic development through human and institutional capacity development. APCICT’s mandate responds to the Declaration of Principles and Plan of Action of the World Summit on the Information Society (WSIS), which states that: “Each person should have the opportunity to acquire the necessary skills and knowledge in order to understand, participate actively in, and benefit fully from, the Information Society and the knowledge economy.”

In order to further respond to this call to action, APCICT has developed a comprehensive information and communication technology for development (ICTD) training curriculum, the Academy of ICT Essentials for Government Leaders. Launched in 2008 and based on strong demand from member States, the Academy presently consists of 10 stand-alone but interlinked modules that aim to impart essential knowledge and expertise to help policymakers plan and implement ICT initiatives more effectively. Widespread adoption of the Academy programme throughout Asia-Pacific attests to the timely and relevant material covered by these modules.

Academy of ICT Essentials for Government Leaders4

ESCAP welcomes APCICT’s ongoing effort to update and publish high quality ICTD learning modules reflecting the fast-changing world of technology and bringing the benefits of ICTD knowledge to national and regional stakeholders. Moreover, ESCAP, through APCICT, is promoting the use, customization and translation of these Academy modules in different countries. It is our hope that through their regular delivery at national and regional workshops for senior- and mid-level government officials, the acquired knowledge would be translated into enhanced awareness of ICT benefits and concrete actions towards meeting national and regional development goals.

Noeleen Heyzer

Under-Secretary-General of the United Nationsand Executive Secretary of ESCAP


PREFACE

In the effort to bridge the digital divide, the importance of developing the human resource and institutional capacity in the use of ICTs cannot be underestimated. In and of themselves, ICTs are simply tools, but when people know how to effectively utilize them, ICTs become transformative drivers to hasten the pace of socio-economic development and bring about positive changes. With this vision in mind, the Academy of ICT Essentials for Government Leaders (Academy) was developed.

The Academy is the flagship programme of the United Nations Asian and Pacific Training Centre for Information and Communication Technology for Development (APCICT), and is designed to equip government officials with the knowledge and skills to fully leverage ICT for socio-economic development. The Academy has reached thousands of individuals and hundreds of institutions throughout the Asia-Pacific and beyond since its official launch in 2008. The Academy has been rolled out in over 20 countries in the Asia-Pacific region, adopted in numerous government human resource training frameworks, and incorporated in the curricula of university and college programmes throughout the region.

The impact of the Academy is in part a result of the comprehensive content and targeted range of topics covered by its eight initial training modules, but also due to the Academy’s ability to configure to meet local contexts and address emerging socio-economic development issues. In 2011, as a result of strong demand from countries in the Asia-Pacific, APCICT in partnership with its network of partners developed two new Academy training modules designed to enhance capacity in the use of ICT for disaster risk management and climate change abatement.

Adhering to APCICT’s “We D.I.D. It In Partnership” approach, the new Academy modules 9 and 10, like the initial modules 1 to 8, were Developed, Implemented and Delivered in an inclusive and participatory manner, and systematically drew upon an extensive and exceptional group of development stakeholders. The entire Academy has been based on: needs assessment surveys from across the Asia-Pacific region; consultations with government officials, members of the international development community, and academics and educators; research and analysis on the strengths and weaknesses of existing training materials; and a peer review process carried-out through a series of APCICT organized regional and sub-regional workshops. These workshops provided invaluable opportunities for the exchange of experiences and knowledge among users of the Academy from different countries. The result is a comprehensive 10-module Academy curriculum covering a range of important ICTD topics, and indicative of the many voices and contextual nuances present across the region.

APCICT’s inclusive and collaborative approach to development of the Academy has also created a network of strong partnerships to facilitate the delivery of ICTD training to government officials, policymakers and development stakeholders throughout the Asia-Pacific region and beyond. The Academy continues to be rolled out and adopted into training frameworks at the national and regional levels in different countries and regions as a result of close collaboration between APCICT and training institutions, government agencies, and regional and international organizations. This principle will continue to be a driving force as APCICT works with its partners to continuously update and further localize the Academy material, develop new Academy modules to address identified needs, and extend the reach of Academy content to new target audiences through new and more accessible mediums.


Complementing the face-to-face delivery of the Academy programme, APCICT has also developed an online distance learning platform called the APCICT Virtual Academy (http://e-learning.unapcict.org), which is designed to enable participants to study the material at their own pace. The APCICT Virtual Academy ensures that all the Academy modules and accompanying materials are easily accessible online for download, dissemination, customization and localization. The Academy is also available on DVD to reach those with limited or no Internet connectivity.

To enhance accessibility and relevance in local contexts, APCICT and its partners have collaborated to make the Academy available in English, Bahasa Indonesia, Mongolian, Myanmar language, Russian, Tajik and Vietnamese, with plans to translate the modules into additional languages.

Clearly, the development and delivery of the Academy would not have been possible without the commitment, dedication and proactive participation of many individuals and organizations. I would like to take this opportunity to acknowledge the efforts and achievements of our partners from government ministries, training institutions, and regional and national organizations who have participated in Academy workshops. They not only provided valuable inputs to the content of the modules, but more importantly, they have become advocates of the Academy in their countries and regions, and have helped the Academy become an important component of national and regional frameworks to build necessary ICT capacity to meet the socio-economic development goals of the future.

I would like to extend heartfelt acknowledgments to the dedicated efforts of the many outstanding contributors who have made Module 6 possible, with a special note of gratitude to the module authors from the Korea Internet & Security Agency. I would also like to thank the more than 7,500 participants that have attended over 80 Academy workshops in over 20 countries, as well as online trainings. Their invaluable insight and feedback have helped to make sure that the Academy has had a lasting impact.

I sincerely hope that the Academy will help nations narrow ICT human resource gaps, remove barriers to ICT adoption, and promote the application of ICT in accelerating socio-economic development and achieving the Millennium Development Goals.

Hyeun-Suk Rhee

DirectorUN-APCICT/ESCAP


ABOUT THE MODULE SERIES

In today’s “Information Age”, easy access to information is changing the way we live, work and play. The “digital economy”, also known as the “knowledge economy”, “networked economy” or “new economy”, is characterized by a shift from the production of goods to the creation of ideas. This underscores the growing, if not already central, role played by ICTs in the economy and in society as a whole.

As a consequence, governments worldwide have increasingly focused on ICTD. For these governments, ICTD is not only about developing the ICT industry or sector of the economy but also encompasses the use of ICTs to engender economic as well as social and political growth.

However, among the difficulties that governments face in formulating ICT policy is that policymakers are often unfamiliar with the technologies that they are harnessing for national development. Since one cannot regulate what one does not understand, many policymakers have shied away from ICT policymaking. But leaving ICT policy to technologists is also wrong because often technologists are unaware of the policy implications of the technologies they are developing and using.

The Academy of ICT Essentials for Government Leaders module series has been developed by the UN-APCICT/ESCAP for:

1. Policymakers at the national and local government level who are responsible for ICT policymaking;

2. Government officials responsible for the development and implementation of ICT-based applications; and

3. Managers in the public sector seeking to employ ICT tools for project management.

The module series aims to develop familiarity with the substantive issues related to ICTD from both a policy and technology perspective. The intention is not to develop a technical ICT manual but rather to provide a good understanding of what the current digital technology is capable of or where technology is headed, and what this implies for policymaking. The topics covered by the modules have been identified through a training needs analysis and a survey of other training materials worldwide.

The modules are designed in such a way that they can be used for self-study by individual readers or as a resource in a training course or programme. The modules are standalone as well as linked together, and effort has been made in each module to link to themes and discussions in the other modules in the series. The long-term objective is to make the modules a coherent course that can be certified.


Each module begins with a statement of module objectives and target learning outcomes against which readers can assess their own progress. The module content is divided into sections that include case studies and exercises to help deepen understanding of key concepts. The exercises may be done by individual readers or by groups of training participants. Figures and tables are provided to illustrate specific aspects of the discussion. References and online resources are listed for readers to look up in order to gain additional perspectives.

The use of ICTD is so diverse that sometimes case studies and examples within and across modules may appear contradictory. This is to be expected. This is the excitement and the challenge of this newly emerging discipline and its promise as all countries begin to explore the potential of ICTs as tools for development.

Supporting the Academy module series in print format is an online distance learning platform—the APCICT Virtual Academy —with virtual classrooms featuring the trainers’ presentations in video format and presentation slides of the modules (visit http://e-learning.unapcict.org).

In addition, APCICT has developed an e-Collaborative Hub for ICTD, or e-Co Hub (http://www.unapcict.org/ecohub), a dedicated online site for ICTD practitioners and policymakers to enhance their learning and training experience. The e-Co Hub gives access to knowledge resources on different aspects of ICTD and provides an interactive space for sharing knowledge and experiences, and collaborating on advancing ICTD.


MODULE 6

In the Information Age, information is an asset to be protected and policymakers need to know what information security is and how to take action against information leakage and infringement. This module provides an overview of the need for information security, information security issues and trends, and the process of formulating an information security strategy.

Module Objectives

The module aims to:

1. Clarify the concept of information security, privacy and related concepts;

2. Describe threats to information security and how they can be addressed;

3. Discuss the requirements for the establishment and implementation of policy on information security, as well as the life cycle of information security policy; and

4. Provide an overview of standards of information security and privacy protection that are used by some countries and international information security organizations.

Learning Outcomes

After working on this module, readers should be able to:

1. Define information security, privacy and related concepts;

2. Identify threats to information security;

3. Assess existing information security policy in terms of international standards of information security and privacy protection; and

4. Formulate or make recommendations regarding information security policy that would be appropriate to their own context.


TABLE OF CONTENTS

Foreword .......................................................................................... 3

Preface ............................................................................................. 5

About the Module Series .................................................................. 7

Module 6 ........................................................................................... 9 Module Objectives ..................................................................................................... 9 Learning Outcomes ..................................................................................................... 9 List of Case Studies ................................................................................................. 12 List of Boxes ............................................................................................................. 12 List of Figures ........................................................................................................... 12 List of Tables ............................................................................................................ 13 Acronyms .................................................................................................................. 14 List of Icons ................................................................................................................15

1. Need for Information Security .....................................................17 1.1 Basic Concepts in Information Security ...............................................................17 1.2 Standards for Information Security Activities .......................................................21

2. Information Security Trends and Directions...............................25 2.1 Types of Cyber Attacks ......................................................................................25 2.2 Trends in Information Security Threats .............................................................29 2.3 Improving Security .............................................................................................32 3. Information Security Activities .....................................................39 3.1 National Information Security Activities ..............................................................39 3.2 International Information Security Activities .......................................................50

4. Information Security Methodology ..............................................59 4.1 Different Aspects of Information Security ...........................................................59 4.2 Examples of Information Security Methodology .................................................65

5. Protection of Privacy ...................................................................71 5.1 The Concept of Privacy ......................................................................................71 5.2 Trends in Privacy Policy ....................................................................................72 5.3 Privacy Impact Assessment ..............................................................................78

6. CSIRT Establishment and Operation .........................................81 6.1 Development and Operation of a CSIRT ...........................................................81 6.2 International CSIRT Associations .......................................................................91 6.3 National CSIRTs .................................................................................................92


7. Life Cycle of Information Security Policy ....................................95 7.1 Information Gathering and Gap Analysis ...........................................................96 7.2 Formulating Information Security Policy.............................................................98 7.3 Policy Execution / Implementation ..................................................................106 7.4 Review and Evaluation of Information Security Policy .....................................110

ANNEX Further Reading .......................................................................................................112 Notes for Trainers ....................................................................................................113 About the Author ......................................................................................................115


List of Case Studies

1. Korean websites suffer DDoS attack 262. Iran: The Stuxnet worm marks a new era of cyberwar 273. Swedish bank hit by “biggest ever” online heist 284. RSA hit by advanced persistent threat attacks 295. Countering Botnet 31

List of Boxes

Box 1. Some examples of criminal and recreational hacking 25Box 2. European Commission’s multi-stakeholder dialogue 41

List of Figures

Figure 1. 4Rs of information security 19Figure 2. Correlation between risk and information assets 20Figure 3. Methods of risk management 21Figure 4. Spam statistics 31Figure 5. Defense-In-Depth model 34Figure 6. Long-term action for ENISA 44Figure 7. The Mobile Information Security Strategy of the Republic of Korea 47Figure 8. Summary of the Information Security Strategy for Protecting the Nation (Mid-term Plan: 2010-2013) 49Figure 9. A summary of the 2010 Annual Plan for Information Security 50Figure 10. ISO/IEC 27000 family 57Figure 11. Plan-Do-Check-Act process model applied to ISMS processes 60Figure 12. CAPs and CCPs 65Figure 13. Security planning process input/output 66Figure 14. BS7799 certification process 66Figure 15. ISMS certification in Japan 67Figure 16. ISMS certification scheme in the Republic of Korea 68Figure 17. ISMS certification procedures in the Republic of Korea 68Figure 18. Security team model 82Figure 19. Internal distributed CSIRT model 82Figure 20. Internal centralized CSIRT model 83Figure 21. Combined CSIRT 84Figure 22. Coordinating CSIRT 84Figure 23. Life cycle of information security policy 95Figure 24. Sample network and system structure 97Figure 25. A generic national information security organization 98Figure 26. Information security framework 101Figure 27. Areas for cooperation in information security policy implementation 107


List of Tables

Table 1. Comparison of information assets and tangible assets 18Table 2. Information security domains and related standard and certifications 22Table 3. Returns from cybercrime in 2010 32Table 4. Roles and plans of each category based on the First National Strategy on Information Security 48Table 5. Controls in ISO/IEC27001 59Table 6. Number of ISMS certificates per country 61Table 7. Composition of class in SFRs 62Table 8. Composition of class in SACs 63Table 9. ISMS certification of other countries 69Table 10. The PIA process 78Table 11. Examples of national PIAs 79Table 12. CSIRT services 90Table 13. List of national CSIRTs 92Table 14. Information security related laws in Japan 104Table 15. Information security related laws in the EU 104Table 16. Information security related laws in the USA 105Table 17. Information security budget of Japan and USA 105Table 18. Cooperation in information security policy development (example) 107Table 19. Cooperation in administration and protection of information and communication infrastructure (example) 108Table 20. Cooperation in information security accident response (example) 108Table 21. Cooperation in information security violation and accident prevention (example) 109Table 22. Coordination in privacy protection (example) 109


Acronyms

ASN.1 Abstract Syntax Notation One APCERT Asia-Pacific Computer Emergency Response Team APCICT Asian and Pacific Training Centre for Information and Communication Technology

for Development APDIP Asia-Pacific Development Information Programme (UNDP) APEC Asia-Pacific Economic Cooperation APT Advanced Persistent Threat ASEAN Association of Southeast Asian Nations BPM Baseline Protection Manual BSI British Standards Institution BSI Bundesamt fűr Sicherheit in der Informationstechnik (Germany) CAP Certificate Authorizing Participant (CCRA) CC Common Criteria CCP Certificate Consuming Participant (CCRA) CCRA Common Criteria Recognition Arrangement CECC Council of Europe Convention on Cybercrime CERT Computer Emergency Response Team CERT/CC Computer Emergency Response Team Coordination Center CIIP Critical Information Infrastructure Protection (EU) CISA Certified Information Systems Auditor CISO Chief Information Security Officer CISSP Certified Information Systems Security Professional CM Configuration Management CSEA Cyber Security Enhancement Act CSIRT Computer Security Incident Response Team CTTF Counter-Terrorism Task Force (APEC) DDoS Distributed Denial-of-Service DID Defense-In-Depth DoS Denial-of-Service ECPA Electronic Communications Privacy Act EGC European Government Computer Emergency Response Team ENISA European Network and Information Security Agency ERM Enterprise Risk Management ESCAP Economic and Social Commission for Asia and the Pacific (UN) ESM Enterprise Security Management EU European Union FEMA Federal Emergency Management Agency (USA) FIRST Forum of Incident Response and Security Teams FISMA Federal Information Security Management Act FOI Freedom of Information GCA Global Cybersecurity Agenda HTTP Hypertext Transfer Protocol ICT Information and Communication Technology IDS Intrusion Detection System IGF Internet Governance Forum IM Instant-Messaging IPS Intrusion Prevention System ISMS Information Security Management System ISO/IEC International Organization for Standardization and International Electrotechnical

Commission ISP Internet Service Provider ISP/NSP Internet and Network Service Provider


IT Information Technology ITU International Telecommunication Union ITU-D International Telecommunication Union – Development Sector ITU-R International Telecommunication Union – Radiocommunication Sector ITU-T International Telecommunication Union – Telecommunication Standardization

Sector KCC Korea Communications Commission KISA Korea Internet & Security Agency NIS Network and Information Security NISC National Information Security Center (Japan) NIST National Institute of Standards and Technology (USA) OECD Organisation for Economic Co-operation and Development OMB Office of Management and Budget (USA) OTP One-Time Password PC Personal Computer PIA Privacy Impact Assessment PP Protection Profile PSG Permanent Stakeholders Group RFID Radio Frequency Identification SAC Security Assurance Component SFR Security Functional Requirement SG Study Group (ITU) SME Small and Medium Enterprise ST Security Target TEL Telecommunications and Information Working Group (APEC) TOE Target of Evaluation TSF TOE Security Functions UK United Kingdom UN United Nations UNCTAD United Nations Conference on Trade and Development UNDP United Nations Development Programme US United States USA United States of America WPISP Working Party on Information Security and Privacy (OECD) WSIS World Summit on the Information Society

List of Icons

Case Study ?

Questions To Think About

Something To Do Test Yourself


1. NeedforINformatIoNSecurIty

This section aims to:• Explain the concept of information and information security; and• Describe standards applied to information security activities.

Human life today is highly dependent on information and communication technology (ICT). This makes individuals, organizations and nations highly vulnerable to attacks on information systems, such as hacking, cyberterrorism, cybercrime, and the like. Few individuals and organizations are equipped to cope with such attacks. Governments have an important role to play in ensuring information security by expanding the information-communication infrastructure and establishing systems to protect against information security threats.

1.1 Basic Concepts in Information Security

What is information?

Generally, information is defined as the result of mental activity; it is an intangible product that is transmitted through media. In the field of ICT, information is the result of processing, manipulating and organizing data, which is simply a collection of facts.

In the field of Information Security, information is defined as an “asset”; it is something that has value and should therefore be protected. The definition of information and information security in ISO/IEC 27001:2005 is used throughout this module.

The value assigned to information today reflects the shift from an agricultural society to an industrial society and finally to an information-oriented society. In agricultural societies, land was the most important asset and the country with the largest production of grain had a competitive edge. In industrial societies, capital strength, such as having oil reserves, was a key factor in competitiveness. In a knowledge and information-oriented society, information is the most important asset and the ability to collect, analyse and use information is a competitive advantage for any country.

As the perspective has shifted from net asset value to information asset value, there is a growing consensus that information needs to be protected. Information itself is valued more than the media holding information. Table 1 contrasts information assets with tangible assets.


table1.comparisonofinformationassetsandtangibleassets

Characteristic Information assets Tangible assets

Form – maintenance Have no physical form and can be flexible Have physical form

Value – variableness Attain higher value when combined and processed

Total value is the sum of each value

SharingUnlimited reproduction of information assets is possible, and people can share the value

Reproduction is impossible; with reproduction the value of the asset is reduced

Media – dependency Need to be delivered through media

Can be delivered independently (due to their physical form)

As shown in table 1, information assets are radically different from tangible assets. Thus, information assets are vulnerable to different kinds of risks.

Risks to information assets

As the value of information assets goes up, the desire to gain access to information and to control it increases among people. Groups are formed to use information assets for various objectives and some exert effort to obtain information assets by whatever means. The latter include hacking, piracy, destruction of information systems through computer viruses, and others. These risks that are attendant to informatization are discussed in section 2 of this module.

The negative aspects of information-oriented environments include the following:

Increase in unethical behaviour arising from anonymity – ICT can be used to maintain anonymity, which makes it easy for certain individuals to engage in unethical and criminal behaviour, including illegal acquisition of information.

Conflicts over ownership and control of information – Complications caused by ownership and control of information have increased with the expansion of informatization. For example, as governments seek to build a personal information database under the umbrella of e-government, some sectors have expressed concern over the possibility of invasion of privacy from the disclosure of personal information to other parties.

Information and wealth gaps between classes and countries – The size of information asset holdings can be the barometer of wealth in knowledge/information-oriented societies. Developed countries have the capacity to produce more information and to profit from selling information as products. Information-poor countries, on the other hand, need huge investments just to be able to access information.

Growing information exposure caused by advanced networks – The knowledge/information-oriented society is a network society. The whole world is connected like a single network, which means that weaknesses in one part of the network can adversely impact the rest of the network.

What is information security?

In response to attempts to obtain information illegally, people are making an effort to prevent information-related crimes or to minimize the damage such crimes can cause. This is called information security.


Simply put, information security is recognizing the value of information and protecting it.

4Rs of information security

The 4Rs of information security are Right Information, Right People, Right Time and Right Form. Control over the 4Rs is the most efficient way to maintain and control the value of information.

figure1.4rsofinformationsecurity

“Right Information” refers to the accuracy and completeness of information, which guarantees the integrity of information.

“Right People” means that information is available only to authorized individuals, which guarantees confidentiality.

“Right Time” refers to the accessibility of information and its usability upon demand by an authorized entity. This guarantees availability.

“Right Form” refers to providing information in the right format.

To safeguard information security, the 4Rs have to be applied properly. This means that confidentiality, integrity and availability should be observed when handling information. Information security also requires a clear understanding of the value of information assets, as well as their vulnerabilities and corresponding threats. This is known as risk management. Figure 2 shows the correlation between information assets and risk.


figure2.correlationbetweenriskandinformationassets

Risk is determined by the asset value, threats and vulnerabilities. The formula is as follows:

Risk = ∫(Asset Value, Threats, Vulnerabilities)

Risk is directly proportional to asset value, threats and vulnerabilities. Thus, the risk can be increased or decreased by manipulating the size of the asset value, threats and vulnerabilities. This can be done through risk management.

The methods of risk management are as follows:

Risk reduction (risk mitigation) – This is done when the likelihood of threats/vulnerabilities is high but their effect is low. It involves understanding what the threats and vulnerabilities are, altering or reducing them, and implementing a countermeasure. However, risk reduction does not reduce the value of risk to “0”.

Risk acceptance – This is done when the likelihood of threats/vulnerabilities is low and their likely impact is minor or acceptable.

Risk transference – If the risk is excessively high or the organization is not able to prepare the necessary controls, the risk can be transferred outside of the organization. An example is taking out an insurance policy. Risk avoidance – If the threats and vulnerabilities are highly likely to occur and the impact is also extremely high, it is best to avoid the risk by outsourcing data processing equipment and staff, for example.

Figure 3 is a graphic representation of these four methods of risk management. In this figure, the quadrant marked “1” is risk reduction, “2” is risk acceptance, “3” is risk transference and “4” is risk avoidance.


figure3.methodsofriskmanagement

A key consideration in choosing the appropriate risk management method is cost-effectiveness. A cost-effectiveness analysis should be performed before the plan for risk reduction, acceptance, transference, or avoidance is established.

1.2 Standards for Information Security Activities

Information security activities cannot be effectively performed without the mobilization of a unified administrative, physical and technical plan.

Many organizations have recommended standards for information security activities. Representative examples are the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC), information security requirements and evaluation items of the Certified Information Systems Auditor (CISA), and Certified Information Systems Security Professional (CISSP) of the Information Systems Audit and Control Association (ISACA). These standards recommend unified information security activities, such as the formulation of an information security policy, the construction and operation of an information security organization, human resources management, physical security management, technical security management, security audit and business continuity management.

Table 2 lists the standards related to information security domains.


table2.Informationsecuritydomainsandrelatedstandardandcertifications

Security domains ISO/IEC 27001 CISA CISSP

Administrative

Security Policy IT Governance

Security Management Practices

Security Architecture and Models

Organization of Information Security IT Governance

Asset Management Protection of Information Assets

Security Management Practices

Human Resources Security

Information Security Incident Management

Business Continuity and Disaster Recovery

Business Continuity Planning and Disaster Recovery Planning

Business Continuity Management

Business Continuity and Disaster Recovery

Business Continuity Planning and Disaster Recovery Planning

ComplianceThe information

systems (IS) Audit Process

Law, Investigation and Ethics

Physical Physical and

Environmental Security

Physical Security

Technical

Communications and Operations Management

Systems and Infrastructure Life Cycle Management

Cryptography

Telecommunications and Network Security

Operations SecurityAccess ControlInformation Systems

Acquisition, Development and Maintenance

IT Service Delivery and Support

ISO/IEC270011 focuses on administrative security. In particular, it emphasizes documentation and operation audit as administrative behaviour and the observance of policy/guideline and law. Continuous confirmation and countermeasures by the administrator are required. Thus, ISO/IEC27001 tries to address the weak points of security systems, equipment, and the like in an administrative way.

In contrast, there is no mention of human resources or physical security in CISA, which focuses on audit activities and controls on information systems. Accordingly, the role of auditors and the performance of audit process are considered very important.

1 ISO, “ISO/IEC27001:2005”, http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=42103.


CISSP2 focuses mainly on technical security. It emphasizes the arrangement and control of equipment such as servers or computers.

Something To Do

1. Assess the level of information security awareness among members of your organization.

2. What information security measures does your organization implement? Classify these measures in terms of the four methods of information security.

3. Identify examples of information security measures in the administrative, physical and technical domains within your organization or in other organizations in your country or jurisdiction.

Training participants can do this exercise in small groups. If participants come from different countries, the small groups can be by country.

Test Yourself

1. How is information different from other assets?

2. Why is information security a concern for policy makers?

3. What are ways of ensuring information security? Differentiate the various methods of addressing information security.

4. Differentiate between each of the three information security domains (administrative, physical and technical).

2 See (ISC)², “CISSP® - Certified Information Systems Security Professional”, http://www.isc2.org/cissp.


2. INformatIoNSecurItytreNdSaNddIrectIoNS

This section aims to:• Provide an overview of threats to information security; and• Describe countermeasures against such threats.

2.1 Types of Cyber Attacks

Hacking

Hacking is the act of gaining access to a computer or computer network to obtain or modify information without legal authorization.

Hacking can be classified as recreational, criminal or political hacking, depending on the purpose of the attack. Recreational hacking is unauthorized modification of programs and data simply to satisfy the hacker’s curiosity. Criminal hacking is used in fraud or espionage. Political hacking is tampering with websites to broadcast unauthorized political messages.3

Recently, hacking has become more and more implicated in cyberterror and cyberwarfare, posing a major threat to national security. Another new trend shows hacking groups targeting major sites with national interest and holds highly sensitive information.

Box1.Someexamplesofcriminalandrecreationalhacking

The year 2011 marked a new era of high-profile targeted attacks that included the hacking of RSA, a provider of security solutions; of Lockheed Martin, the largest defence contractor in the USA; of Oak Ridge National Laboratory, a US Department of Energy-run research laboratory; and of the International Monetary Fund (IMF), a specialized agency of the United Nations. Military, financial, governmental, and other organizations with critical intellectual property, plans and finances are particularly at risk.

LulzSec, a computer hacker group recently dominated headlines for claiming responsibility for several high-profile attacks, including the compromise of user accounts from Sony Pictures in 2011. LulzSec has also hacked into PBS, the US Senate, the CIA, FBI Affiliate InfraGard and others. It is also known for the sarcastic messages it posts in the aftermath of its attacks. Some security professionals have applauded LulzSec for drawing attention to insecure systems, while others raise concern about exposing personal data of companies and individuals.

Sources: Sophos, Security Threat Report Mid-Year 2011 (2011); and Wikipedia, “LulzSec”, http://en.wikipedia.org/wiki/LulzSec.

3 Suresh Ramasubramanian, Salman Ansari and Fuatai Purcell, “Governing Internet Use: Spam, Cybercrime and e-Commerce”, in Internet Governance: Asia-Pacific Perspectives, Danny Butt, ed. (Bangkok, UNDP-APDIP, 2005), p. 95, http://www.apdip.net/projects/igov/ICT4DSeries-iGov-Ch5.pdf.


Denial-of-Service and Distributed Denial-of-Service

Denial-of-Service (DoS) cause an action upon a computer or networked device that results in other processes, resources or activities floundering and failing to respond adequately. Distributed Denial-of-Service (DDoS) attacks are where multiple participating devices engage in DoS attacks from a distributed assortment of location.

The specific attack traffic or vulnerability exploitation that causes the target(s) to become unresponsive is typically the same for both DDoS and DoS attacks. The distributed sources engaged in the DDoS attack often make the attack more difficult to defend against and are generally more successful against larger and faster responding targets.4

KoreanwebsitessufferddoSattack

On 4 March 2011, malicious computer codes launched a DDoS attack on the websites of the Republic of Korea’s presidential office and other major institutions, shutting down some of them temporarily.

The Republic of Korea raised the cyberalert level following the DDoS attack, which disabled access to servers and harmed computers’ hard drives. The Korea Communications Commission (KCC), the country’s telecommunications regulator, issued the third-highest alert.

The Web page of the Financial Services Commission, the country’s financial regulator, was briefly overloaded in the morning and an online stock trading system of a local brokerage was shut down for several minutes by the assault. They recovered operation and no other damages were reported. The website of the presidential office was also attacked by a DDoS attack, but no damage was done.

The DDoS attack also targeted the websites of the unification ministry, the defense ministry, the National Assembly, the military headquarters, the US Forces in Korea, major local lenders, securities companies, Internet portals and other government agencies.

Attackers hacked two Korean peer-to-peer file sharing websites and planted malicious codes in files, which were downloaded onto personal computers (PCs) and triggered massive cyberassaults.

It was estimated that between 4,300 and 11,000 personal computers were infected by the malware in this DDoS attack. In response, a security company distributed free software for treatment.

Source: Yonhap News Agency, “S. Korean Web sites suffer DDoS attack”, 4 March 2011, http://english.yonhapnews.co.kr/national/2011/03/04/36/0301000000AEN20110304007200315F.HTML.

Malicious code

Malicious code refers to programs that cause damage to a system when executed. Viruses, worms and Trojan horses are types of malicious code.

4 Gunter Ollmann, “Understanding the Modern DDoS Threat”, White Paper, Damballa, p. 2, http://www.damballa.com/downloads/r_pubs/WP_Understanding_the_Modern_DDoS_attack.pdf.


A computer virus is a computer program or programming code that damages computer systems and data by replicating itself by initiating copying to another program, computer boot sector or document.

A worm is a self-replicating virus that does not alter files but resides in active memory, using parts of an operating system that are automatic and usually invisible to the user. Their uncontrolled replication consumes system resources, slowing or halting other tasks. It is usually only when this happens that the presence of worms is detected. A Trojan horse is a program that appears to be useful and/or harmless but really has a malicious function such as unloading hidden programs or command scripts that make a system vulnerable to encroachment.

Iran:theStuxnetwormmarksaneweraofcyberwar

The Stuxnet worm was discovered on computers in Iran in June 2010 by a Belarusian security firm. The worm had infected more than 100,000 computer systems worldwide, most of them in Iran.

The Los Angeles Times reports that: “Stuxnet is being called the most sophisticated cyber weapon ever unleashed, because of the insidious way in which it is believed to have secretly targeted specific equipment used in Iran’s nuclear program.”

The targeted code was designed to attack Siemens Simatic WinCC SCADA systems. The Siemens system is used in various facilities to manage pipelines, nuclear plants, and various utility and manufacturing equipment. Although the Stuxnet worm affected many systems, it is speculated by many that the worm was created specifically to target Iran’s nuclear facility. The creator of the worm is yet unknown.

Sources: Ken Dilanian, “Iran’s nuclear program and a new era of cyber war”, Los Angeles Times, 17 January 2011, http://articles.latimes.com/2011/jan/17/world/la-fg-iran-cyber-war-20110117; Kim Zetter, “Iran: Computer Malware Sabotaged Uranium Centrifuges”, Wired, 29 November 2010, http://www.wired.com/threatlevel/2010/11/stuxnet-sabotage-centrifuges/; and Wikipedia, “Stuxnet”, http://en.wikipedia.org/wiki/Stuxnet.

Social engineering

The term “social engineering” refers to a set of techniques used to manipulate people into divulging confidential information. Although it is similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access. In most cases the attacker never comes face-to-face with the victim.

Phishing, the act of stealing personal information via the Internet for the purpose of committing financial fraud, is an example of social engineering. Phishing has become a significant criminal activity on the Internet.


Swedishbankhitby“biggestever”onlineheist

On 19 January 2007, the Swedish bank Nordea was hit by online phishing. The attack was started by a tailor-made Trojan sent in the name of the bank to some of its clients. The sender encouraged clients to download a “spam fighting” application. Users who downloaded the attached file, called “raking.zip” or “raking.exe”, were infected by the Trojan also known as “haxdoor.ki” by some security companies.

Haxdoor typically installs keyloggers to record keystrokes and hides itself using a rootkit. The payload of the .ki variant of the Trojan was activated when users attempted to log into the Nordea online banking site. Users were redirected to a false homepage, where they entered important log-in information, including log-in numbers. After the users entered the information, an error message appeared, informing them that the site was experiencing technical difficulties. Criminals then used the harvested customer details on the real Nordea website to take money from customer accounts.

Nordea customers were targeted by e-mail containing the tailor-made Trojan for over 15 months. Two hundred fifty bank clients were said to have been affected, with total damages amounting to between seven and eight million Swedish krona (USD 7,300-8,300 in 2007). The case proves that cyberattacks can affect even financial companies with high-level security protection.

Source: Tom Espiner, “Swedish bank hit by ‘biggest ever’ online heist”, ZDNet.co.uk (19 January 2007), http://news.zdnet.co.uk/security/0,1000000189,39285547,00.htm.

Spam

Spam is a bulk, unsolicited, commercial electronic message delivered through information communication service such as e-mail. Spam is a low-cost and effective medium for advertising. Recently, spam is used to spread malicious code or seize personal information. Sometimes, this type of spam is sent from zombie PCs that are, in most cases, infected by malicious codes.

APT

An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization.5

APT attacks target organizations in sectors with high-value information, such as national defense, manufacturing and the financial industry.

An APT attacker often uses “spear fishing”, a type of social engineering, to gain access to the network through legitimate means. Once access has been achieved, the attacker establishes a “back door”.

The next step is to gather valid user credentials (especially administrative ones) and move laterally across the network, installing more back doors. The back doors allow the attacker to install bogus utilities and create a “ghost infrastructure” for distributing malware that remains hidden in plain sight.

5 SearchSecurity.com, “advanced persistent threat (APT)”, http://searchsecurity.techtarget.com/definition/advanced-persistent-threat-APT.


rSahitbyadvancedpersistentthreatattacks

In March 2011, RSA, the security division of EMC, announced that it had been a target of an attack and that information related to RSA’s SecurID two-factor authentication products was stolen by attackers.

Investigations had revealed that the attack was in the category of an APT. APT threats are becoming a significant challenge for all large corporations. To identify APTs, organizations need to deploy technologies that not only identify all potential threats through behaviour analysis, but are also able to test all suspicious elements in a virtual environment.

Two-factor authentication is a preferred method of providing stronger security than is provided by a username and password alone. One of the most common methods of two-factor authentication is to use a key fob or token that provides a randomized code users must enter in addition to the username and password in order to authenticate and gain access to the site or application.

RSA is a leading provider of two-factor authentication solutions, and its key fobs and tokens are virtually ubiquitous. With millions of customers relying on RSA to provide additional security and protect accounts from unauthorized access, it is troubling that malicious hackers may now possess the keys to circumvent that protection.

RSA assured its clients that the information extracted did not enable a successful direct attack on any of their RSA SecurID customers. However, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.

Lockheed-Martin, a client of RSA, was subsequently hacked, and it is speculated to have been carried out by the same hacker (see case study above).

Sources: Tony Bradley, “RSA SecurID Hack Shows Danger of APTs”, PCWorld, 19 Mach 2011, http://www.pcworld.com/businesscenter/article/222555/rsa_securid_hack_shows_danger_of_apts.html; and Warwick Ashford, “RSA hit by advanced persistent threat attacks”, Computer Weekly, 18 March 2011, http://www.computerweekly.com/Articles/2011/ 03/18/245974/RSA-hit-by-advanced-persistent-threat-attacks.htm.

2.2 Trends in Information Security Threats6

An important activity in safeguarding information security is security threat trend analysis. This refers to the search for patterns in security threats over time in order to identify the ways in which such patterns change and develop, veer in new directions, or shift. This iterative process of collecting and correlating information and improving incident profiles is done to be able to anticipate likely or possible threats and prepare the appropriate responses to these threats.

Organizations that perform information security threat trend analysis and share security threat trend reports include:

• CERT (http://www.cert.org/cert/)• Symantec (http://www.symantec.com/business/theme.jsp?themeid=threatreport)• IBM (http://xforce.iss.net/)

6 This section is drawn from Tim Shimeall and Phil Williams, Models of Information Security Trend Analysis (Pittsburgh, CERT Analysis Center, 2002), http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.11.8034.


Trends in information security threats that have been reported are described below.

Automation of attack tools7

Intruders now use automated tools that allow them to gather information about thousands of Internet hosts quickly and easily. Networks can be scanned from a remote location and hosts with specific weaknesses identified using these automated tools. The intruders catalogue the information for later use, share or trade it with other intruders, or attack immediately. Some tools (such as Cain & Abel) automate a series of small attacks towards an overall objective. For example, intruders can use a packet sniffer to obtain router or firewall passwords, log in to the firewall to disable filters, and then use a network file service to read data on a server.

Attack tools that are difficult to detect

Some attack tools use new attack patterns that are not detected by existing detection tools. For example, anti-forensic techniques are being used to mask or hide the nature of attack tools. Polymorphic tools change form each time they are used. Some of these tools use common protocols like the hypertext transfer protocol (HTTP), making it difficult to distinguish them from legitimate network traffic.8 The MSN Messenger worm is a good example of this. A worm in the MSN Messenger Instant-Messaging (IM) client sends to contacts from the infected user’s address book a file designed to infect systems, after first issuing a warning that they are about to receive a file. The behaviour of a real IM user is mimicked, which is alarming.9

Faster discovery of vulnerabilities

Every year the newly discovered vulnerabilities in software products that are reported to the Computer Emergency Response Team Coordination Center (CERT/CC) more than doubles in number, making it difficult for administrators to keep up-to-date with patches. Intruders know this and take advantage.10 Some intruders launch a zero-day (or zero-hour) attack, which is a computer threat that exploits computer application vulnerabilities for which there are no patches or protection because they have not yet been discovered by administrators.11

Increasing asymmetric threat and convergence of attack methods

An asymmetric threat is a condition in which an attacker has the edge over a defender. The number of asymmetric threats increases with the automation of threat deployment and sophistication of attack tools.

Convergence of attack methods refers to the consolidation of diverse attack methods by attackers to create global networks that support coordinated malicious activity. For example, Zbot, known as Zeus, is a malware package that is readily available for sale and also traded in underground forums. The package contains a builder that can generate a bot executable and Web server files (PHP, images, SQL templates) for use as the command and control server. While Zbot is a generic back door that allows full control by an unauthorized remote user, the

7 This sub-section is drawn from CERT, “Security of the Internet”, Carnegie Mellon University, http://www.cert.org/encyc_article/tocencyc.html.

8 Suresh Ramasubramanian, Salman Ansari and Fuatai Purcel, “Governing Internet Use”, p. 94 (see footnote 3).9 Munir Kotadia, “Email worm graduates to IM”, ZDNet.co.uk, 4 April 2005, http://www.zdnet.co.uk/news/security-

management/2005/04/04/email-worm-graduates-to-im-39193674/.10 Suresh Ramasubramanian, Salman Ansari and Fuatai Purcel, “Governing Internet Use”.11 Wikipedia, “Zero day attack”, http://en.wikipedia.org/wiki/Zero_day_attack.


primary function of Zbot is financial gain—stealing online credentials such as FTP, e-mail, online banking, and other online passwords.12

Increasing threat from infrastructure attacks

Infrastructure attacks are attacks that broadly affect key components of the Internet. They are a concern because of the number of organizations and users on the Internet and their increasing dependence on the Internet to carry out day-to-day business. Infrastructure attacks result in DoS, compromise of sensitive information, spread of misinformation, and significant diversion of resources from other tasks.

Botnet is an example of an infrastructure attack. The term “botnet” refers to a group of infected computers that are controlled remotely by a “command control server”. The infected computers spread worms and Trojans throughout network systems.

Spam is rapidly increasing due to the use of botnet. Spam refers to unsolicited bulk messages, which may be sent via e-mail, instant messages, search engines, blogs and even mobile phones. Figure 4 shows the trend in spam volumes.

figure4.Spamstatistics

Source: Symantec MessageLabs.

counteringBotnet

To reduce the damage from botnet, the International Telecommunication Union (ITU) recommends a combination of policy, technology and social methodology.

Policy: Effective antispam and cybercrime laws and regulation• Capacity building among relevant policy stakeholders• Comprehensive framework for international cooperation and outreach• Consistency between cybercrime and privacy legislation• Framework for local enforcement of cybercrime and botnet mitigation

12 Nicolas Falliere and Eric Chien, Zeus: King of the Bots, Security Response (Cupertino, CA, Symantec, 2009), p. 1, http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf.


Technical: Tools and techniques to identify and gather information about active botnets• Information security and privacy best practices to mitigate botnet activity• Registrar and registry best practices to mitigate botnet activity• Capacity building for e-commerce and online transaction providers

Social: Broad-based education initiatives on Internet safety and security• Facilitation of secure ICT access for users

The PTF ITU SPAM toolkit is a comprehensive package to help policy planners, regulators and companies adjust policy and recover confidence in e-mail. The toolkit also recommends sharing of information across countries to prevent international problems.

Changes in purpose of attacks

It used to be that computer and network attacks were perpetrated out of curiosity or for self-satisfaction. Now, the purpose is usually money, slander and destruction. Moreover, these types of attacks represent only a small portion of the broad spectrum of cybercrime.

Cybercrime is the deliberate destruction, disruption or distortion of digital data or information flows for political, economic, religious or ideological reasons. The most common crimes include hacking, DoS, malicious code and social engineering. Recently, cybercrime has become part of cyberterror and cyberwarfare, with adverse effects on national security.

Table 3 below shows what perpetrators of cybercrime earn.

table3.returnsfromcybercrimein2010

Item Price Ranges (in USD)Credit card information 0.07-100 Bank account credentials 10-900E-mail accounts 1-18Attack tools 5-650E-mail addresses 1/MB-20/MBCredit card dumps 0.50-120Full identities 0.50-20Scam hosting 10-150Shell scripts 2-7Cash-out services 200-500 (or 50%-70% of total value)

Source: Symantec, Internet Security Threat Report Volume 16 (2011), http://www.symantec.com/business/threatreport/topic.jsp?id=fraud_activity_trends&aid=underground_economy_servers.

2.3 Improving Security

Given the trends in security threats and attack technologies, a robust defence requires a flexible strategy that allows adaptation to the changing environment, well-defined policies and procedures, the use of appropriate security technologies, and constant vigilance.


It is helpful to begin a security improvement programme by determining the current state of security. Integral to a security programme are documented policies and procedures, as well as technology that supports their implementation.

Administrative security

Administrative security consists of an information security strategy, policy and guidelines.

An information security strategy sets the direction for all information security activities.

An information security policy is a documented high-level plan for organization-wide information security. It provides a framework for making specific decisions, such as an administrative and physical security plan.

Because an information security policy should have a long-term point of view, it should avoid technology-specific content and include effective business continuity planning development.

Information security guidelines should be established according to the information security strategy and policy. The guidelines should specify regulations for each area related to information security. And because the guidelines must be comprehensive and national in scope, they must be developed and delivered by the government for observance by organizations.

Information security standards must be specialized and specific so that they can be applied to all security information areas. It is good for each country to develop standards after analysing the administrative, physical and technical security standards that are widely used all over the world. Standards should be appropriate to the prevailing ICT environment.

A country’s information security strategy, policy and guidelines should be in compliance with related law. Their scope should be within the boundaries of national and international laws.

Information security operation and process

Once an information security strategy, policy and guidelines are established, information security operating procedures and processes will need to be defined. Because people are the ones who perpetrate attacks on information or leak internal information, human resources management is the most important factor in operating information security. Hence the need for the following:

1. Information security education and training programme – There are many methods to improve an organization’s level of information security but education and training are the basic activities. The members of an organization must appreciate the need for information security and acquire related skills through education and training. However, it is important to develop various programmes for maximizing participation because standardized information security education and training programmes may not be effective.

2. Strengthening promotion through a variety of events – Employee participation is important in the successful implementation of information security strategy, policy and guidelines. Information security should be promoted among employees through various daily activities.

3. Securing sponsorship – While there may be high levels of information security awareness among employees and they have a strong will to maintain information security, it is difficult to ensure information security without support from the highest levels of the organization. The support of the Chief Executive Officer and Chief Information Officer should be obtained.


Technological security

Various technologies have been developed to help organizations secure their information systems against intruders. These technologies help to protect systems and information against attacks, to detect unusual or suspicious activities, and to respond to events that affect security.

Today’s security systems have been designed and developed based on a Defense-In-Depth (DID) model that leads to unified management of the technologies involved. This model is different from perimeter defence, which has only one layer of defence against all threats. The DID model consists of prevention, detection and tolerance, with threats being reduced at each phase (see figure 5).

figure5.defense-In-depthmodel

Source: Defense Science Board Task Force, Protecting the Homeland: Defensive Information Operations 2000 Summer Study Volume II (Washington, D.C., 2001), p. 5, http://www.carlisle.army.mil/DIME/documents/dio.pdf.

Prevention technology

Prevention technologies protect against intruders and threats at the storage or system level. These technologies include the following:

1. Cryptography – Also referred to as encryption, cryptography is a process of translating information from its original form (called plaintext) into an encoded, incomprehensible form (called ciphertext). Decryption refers to the process of taking ciphertext and translating it back into plaintext. Cryptography is used to protect various applications. More information about cryptography and related technologies (IPSec, SSH, SSL, VPN, OTP, etc.) is available at the following Web pages:

• IETF RFC (http://www.ietf.org/rfc.html)• RSA Laboratories’ Frequently Asked Questions About Today’s Cryptography (http://www.rsa.com/rsalabs/node.asp?id=2152)


2. One-time passwords (OTPs) – As the name implies, OTPs can be used only once. Static passwords can more easily be accessed by password loss, password sniffing, brute-force password cracks, and the like. This risk can be greatly reduced by constantly altering a password, as is done with an OTP. For this reason, OTP is used to secure electronic financial transactions such as online banking.

3. Firewalls – Firewalls regulate some of the flow of traffic between computer networks of different trust levels such as between the Internet, which is a no-trust zone, and an internal network, which is a zone of higher trust. A zone with an intermediate trust level, situated between the Internet and a trusted internal network, is often referred to as a “perimeter network” or demilitarized zone.

4. Vulnerability analysis tool – Because of the increase in the number of attack methods and the vulnerabilities present in commonly used applications, it is necessary to periodically assess a system’s vulnerabilities. In computer security, a vulnerability is a weakness that allows an attacker to violate a system. Vulnerabilities may result from weak passwords, software bugs, a computer virus, a script code injection, an SQL injection or malware. Vulnerability analysis tools detect these vulnerabilities. They are easily available online and there are companies that provide analytic services. However, those that are freely available to the Internet community could be misused by intruders. For more information, see:

• Secunia Vulnerability Archive (http://secunia.com/advisories)• SecurityFocus Vulnerability Archive (http://www.securityfocus.com/bid)• Top 100 Network Security Tools (http://sectools.org)• VUPEN Security Research – Discovered Vulnerability

(http://www.vupen.com/english/research.php)

Network vulnerability analysis tools analyse vulnerabilities of network resources such as routers, firewalls and servers.

A server vulnerability analysis tool analyses such vulnerabilities as a weak password, weak configuration and file permission error in the internal system. A server vulnerability analysis tool provides relatively more accurate results than does a network vulnerability analysis tool because this tool analyses many more vulnerabilities in the internal system.

Web vulnerability analysis tools analyse vulnerabilities of Web applications such as XSS and SQL Injection throw web. For more information, see the Open Web Application Security Project at http://www.owasp.org/index.php/Top_10_2010.

Detection technology

Detection technology is used to detect and trace abnormal states and intrusion in networks or important systems. Detection technology includes the following:

1. Antivirus – An antivirus software is a computer program for identifying, neutralizing or eliminating malicious code, including worms, phishing attacks, rootkits, Trojan horses and other malware.13

2. Intrusion detection system (IDS) – An IDS gathers and analyses information from various areas within a computer or a network to identify possible security breaches. Intrusion detection functions include analysis of abnormal activity patterns and ability to recognize attack patterns.

13 Wikipedia, “Antivirus software”, http://en.wikipedia.org/wiki/Antivirus_software.


3. Intrusion prevention system (IPS) – Intrusion prevention attempts to identify potential threats and respond to them before they are used in attacks. An IPS monitors network traffic and takes immediate action against potential threats according to a set of rules established by the network administrator. For example, an IPS might block traffic from a suspicious IP address.14

Integration technology

Integration technology integrates important functions for the information security of core assets, such as predicting, detecting and tracing intrusions. Integration technology includes the following:

1. Enterprise security management (ESM) – An ESM system manages, controls and operates an information security solution such as an IDS and IPS based on a consistent policy. It is used as a strategy to make up for the weakness of other solutions by using the advantages of each information security solution and maximizing the efficiency of information security under a consistent policy.

ESMs that can manage existing security technologies synthetically came about recently due to the shortage of human resources operating security technologies, the increase in upgraded attacks such as convergence of attack methods, and the emergence of attack tools that are difficult to detect. With ESM, the efficiency of management is raised and active countermeasures are established.

2. Enterprise risk management (ERM) – ERM is a system that helps to predict all risks related to organizations, including in areas outside of information security, and automatically configure countermeasures. Use of ERM to protect information requires that the exact purpose of risk management and design for the development of the system are specified. Most organizations construct and optimize their own ERMs through professional information security consulting agencies instead of doing it by themselves.

? Questions To Think About

1. What information security threats is your organization vulnerable to? Why?

2. Which information security technology solutions are available in your organization?

3. Does your organization have an information security policy, strategy and guidelines? If yes, how adequate are these given the threats that your organization is vulnerable to? If none, what would you recommend by way of an information security policy, strategy and guidelines for your organization?

14 SearchSecurity.com, “Intrusion prevention”, TechTarget, http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci1032147,00.html.


Test Yourself

1. Why is it important to conduct information security threat trend analysis?

2. Why is human resources management the most important factor in information security operations? What are the key activities in human resources management for information security?

3. Explain the Defense-In-Depth model of technology security. How does it work?


3. INformatIoNSecurItyactIvItIeS

This section aims to:• Give examples of information security activities of various countries to serve

as a guide in information security policymaking; and • Highlight international cooperation in implementing information security

policy.

3.1 National Information Security Activities

Information security strategy of the United States of America

After the terrorist attacks on 11 September 2001 (9/11), the US government established the Department of Homeland Security to strengthen national security not only against physical threats but also against cyberthreats. The US implements comprehensive and effective information security activities through the Information Security Officer system. Its information security strategy includes the National Strategy for Homeland Security, National Strategy for the Physical Security of Critical Infrastructures and Key Assets, and National Strategy to Secure Cyberspace.

The National Strategy to Secure Cyberspace15 sets the vision of cybersecurity and protection of critical infrastructure and assets. It defines the specific goals and activities for preventing cyberattacks against critical infrastructure and assets. The five national priorities defined in the National Strategy to Secure Cyberspace are:

• A National Cyberspace Security Response System• A National Cyberspace Security Threat and Vulnerability Reduction Program• A National Cyberspace Security Awareness and Training Program• Securing Government’s Cyberspace• National Security and International Cyberspace Security Cooperation

The US cybersecurity policy continues to evolve to meet various challenges, but critical gaps remain, including the incomplete protection of digital infrastructure vital to national security, such as power grids and financial networks. Upon assuming office in 2009, President Barack Obama declared cyberspace a strategic national asset and requested a complete Cyberspace Policy Review. In May 2011, the White House released its International Strategy for Cyberspace—an attempt to signal to both allies and adversaries what the US expects and what its plans are in this emerging medium. Current US cybersecurity policy splits responsibilities between the Departments of Defence and Homeland Security, with the former managing “dot mil” and the latter “dot gov” domains. Also, the US government has made efforts to keep a coherent approach to protecting critical digital assets outside of the government and, in most cases, relies on the voluntary participation of private industry.

15 The White House, The National Strategy to Secure Cyberspace (Washington, D.C., 2003), http://www.us-cert.gov/reading_room/cyberspace_strategy.pdf.


Tightening up information security law

The Cyber Security Enhancement Act of 200216 (CSEA) comprises the second chapter of the Homeland Security Law. It provides for amendments to sentencing guidelines for certain computer crimes, emergency disclosure exception, good faith exception, prohibition of illegal Internet advertisement and protection of privacy, among others.

Emergency disclosure exception: Before 9/11, the Electronic Communications Privacy Act (ECPA) prohibited electronic communication service providers (such as Internet service providers or ISPs) from disclosing user communications (such as voice mail, e-mail and attachments). The Emergency Disclosure Exception allows ISPs to share the contents of an e-mail or electronic communication with law enforcement agencies without warrant according to the USA Patriot Act enacted after 11 September 2001. The exceptional regulations of openness in case of an emergency have been strengthened in the CSEA. Government agencies receiving suspicious content are required to report, within 90 days after the disclosure, to the Attorney General the disclosure date, parties involved, disclosure information and number of related applicants, and number of communications.

Good faith exception: The CSEA stipulates exemption from criminal and civil charges in case the eavesdropping is requested by the computer owner or operator.

Prohibition of Internet advertising of illegal devices: The ECPA prohibits the manufacture, distribution, possession and online advertising of wire, oral and electronic communication intercepting devices. Electronic eavesdropping devices may be advertised. However, the advertiser is required to know the contents of the advertisement.

Reinforcing punishment for computer offences: Under the US Computer Fraud and Abuse Act, intentionally accessing a computer and causing damage to it without authorization is considered illegal. Before 9/11, any person found guilty of this crime was to be sentenced to imprisonment of not more than five years in case of a first offence and not more than 10 years in case of a second offence. After 9/11, the punishment for such offences was revised to imprisonment of not more than 10 years in a first offence and not more than 20 years in a second offence. Additional clauses in the CSEA stipulate that an offender can be sentenced to imprisonment of not more than 20 years if the offender causes or attempts to cause serious bodily injury; he or she could be given a life sentence if he or she causes or attempts to cause death.

Exemption of assistants’ responsibility: The ECPA exempts from criminal charges communication service providers who assist in communication interception or who provide information to law enforcers.

The Federal Information Security Management Act (FISMA)17 comprises the third chapter of the e-Government Act of 2002. The statute recognizes the importance of information security to the economic and national security interests of the US. Further, the statute requires federal agencies to develop, document and implement an agency-wide programme to provide security for the information and information systems that support the operations and assets of the agency. It includes the operations and assets provided or managed by other agencies, contractors, or other sources. This law also calls for increased efforts to protect the information security of all citizens, national security agencies and law enforcement agencies.

16 Computer Crime and Intellectual Property Section, SEC. 225, Cyber Security Enhancement Act of 2002 (Washington D.C., Department of Justice, 2002), http://www.justice.gov/criminal/cybercrime/homeland_CSEA.htm.

17 OMB, Federal Information Security Management Act: 2004 Report to Congress (Washington, D.C., Executive Office of the President of the United States, 2005), http://www.whitehouse.gov/sites/default/files/omb/assets/omb/inforeg/2004_fisma_report.pdf.


The main objectives of Federal Information Security Management are: (1) to provide a comprehensive framework for strengthening the efficiency of information security controls on operation and assets; and (2) to develop the appropriate controls and maintenance plans for protecting information/information systems, and provide a mechanism for strengthening the management of information security programmes.

FISMA provides the framework for securing the federal government’s information technology (IT). All agencies must implement the requirements of FISMA and report annually to the Office of Management and Budget (OMB) and Congress on the effectiveness of their information security and privacy programmes. OMB uses the information to help evaluate agency-specific and government-wide information security and privacy programme performance, develop its annual security report to Congress, assist in improving and maintaining adequate agency performance, and assist in the development of the e-Government Scorecard under the President’s Management Agenda.

Information security strategy of the European Union

In a Communication dated May 2006,18 the European Commission describes the recent European Union (EU) strategy for information security as consisting of a number of interdependent measures involving many stakeholders. These measures include the establishment of a Regulatory Framework for Electronic Communications in 2002, the articulation of the i2010 initiative for the creation of a European Information Society, and the setting up of the European Network and Information Security Agency (ENISA) in 2004. According to the Communication, these measures reflect a three-pronged approach to security issues in the Information Society embracing specific network and information security (NIS) measures, the regulatory framework for electronic communications (which includes privacy and data security issues), and the fight against cybercrime.

The Communication notes attacks on information systems, increasing deployment of mobile devices, the advent of “ambient intelligence”, and improving the awareness level of users as the main security issues that the European Commission aims to address through dialogue, partnership and empowerment. These strategies are described in the Communication (see box 2).

Box2.europeancommission’smulti-stakeholderdialogue

The Commission proposes a series of measures designed to establish an open, inclusive and multi-stakeholder dialogue:

• A benchmarking exercise for national policies relating to network and information security, to help identify the most effective practices so that they can then be deployed on a broader basis throughout the EU. In particular, this exercise will identify best practices to improve the awareness of small and medium enterprises (SMEs) and citizens of the risks and challenges associated with network and information security; and

• A structured multi-stakeholder debate on how best to exploit existing regulatory instruments. This debate will be organized within the context of conferences and seminars.

18 Europa, “Strategy for a secure information society (2006 communication)”, European Commission, http://europa.eu/legislation_summaries/information_society/internet/l24153a_en.htm.


Partnership

Effective policymaking requires a clear understanding of the nature of the challenges to be tackled, as well as reliable, up-to-date statistical and economic data. Accordingly, the Commission will ask ENISA to:

• Build a partnership of trust with member States and stakeholders in order to develop an appropriate framework for collecting data; and

• Examine the feasibility of a European information sharing and alert system to facilitate effective response to threats. This system would include a multilingual European portal to provide tailored information on threats, risks and alerts.

In parallel, the Commission will invite member States, the private sector and the research community to establish a partnership to ensure the availability of data pertaining to the ICT security industry.

Empowerment

The empowerment of stakeholders is a prerequisite for fostering their awareness of security needs and risks. For this reason, member States are invited to:

• Proactively participate in the proposed benchmarking exercise for national policies;• Promote, in cooperation with ENISA, awareness campaigns on the benefits of adopting

effective security technologies, practices and behaviour;• Leverage the roll-out of e-government services to promote good security practices; and• Stimulate the development of network and information security programmes as part of

higher education curricula.

Private sector stakeholders are also encouraged to take initiatives to:

• Define responsibilities for software producers and ISPs in relation to the provision of adequate and auditable levels of security;

• Promote diversity, openness, interoperability, usability and competition as key drivers for security, and to stimulate the deployment of security-enhancing products and services to combat ID theft and other privacy-intrusive attacks;

• Disseminate good security practices for network operators, service providers and SMEs;• Promote training programmes in the private sector to provide employees with the

knowledge and skills necessary to implement security practices;• Work towards affordable security certification schemes for products, processes and

services that will address EU-specific needs; and• Involve the insurance sector in developing risk management tools and methods.

Source: Abridged from Europa, “Strategy for a secure information society (2006 communication)”, European Commission, http://europa.eu/legislation_summaries/information_society/internet/l24153a_en.htm.

On March 2009, the Commission adopted a Communication on Critical Information Infrastructure Protection (CIIP) – “Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience”.19 It sets out a plan (the “CIIP action plan”) to strengthen the security and resilience of vital ICT infrastructures. The aim was to stimulate and support

19 Commission of the European Communities, “Critical Information Infrastructure Protection - Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience”, Communication COM(2009) 149 final, 30 March 2009, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2009:0149:FIN:EN:PDF.


the development of a high level of preparedness, security and resilience capabilities both at national and European levels. This approach was broadly endorsed by the Council in 2009.20

The CIIP action plan is built on five pillars: (1) preparedness and prevention; (2) detection and response; (3) mitigation and recovery; (4) international cooperation; and (5) criteria for the European Critical Infrastructures in the field of ICT. The CIIP action plan sets out the work to be done under each pillar by the Commission, the member States and/or industry, with the support of ENISA.

The Digital Agenda for Europe21 (DAE) adopted in May 2010, and the related Council Conclusions22 highlighted the shared understanding that trust and security are fundamental pre-conditions for the wide uptake of ICT and therefore for achieving the objectives of the “smart growth” dimension of the Europe 2020 Strategy.23 The DAE emphasises the need for all stakeholders to join forces in a holistic effort to ensure the security and resilience of ICT infrastructures. To achieve this, the DAE stressed the need to focus on prevention, preparedness and awareness, as well as develop effective and coordinated mechanisms to respond to new and increasingly sophisticated forms of cyberattacks and cybercrime. This approach ensures that both the preventive and the reactive dimensions of the challenge are duly taken into account.

The following measures, announced in the Digital Agenda, have been taken:

• The Commission adopted on September 2010 a proposal for a Directive on attacks against information systems.24 It aims to strengthen the fight against cybercrime by approximating member States’ criminal law systems and improving cooperation between judicial and other competent authorities. It also introduces provisions to deal with new forms of cyberattacks, in particular botnets.

• Complementing this, the Commission at the same time tabled a proposal25 for a new mandate to strengthen and modernize ENISA in order to boost trust and network security. Strengthening and modernizing ENISA will help the EU, member States and private stakeholders develop their capabilities and preparedness to prevent, detect and respond to cybersecurity challenges.

Council of Europe Convention on Cybercrime

In 2001, the EU promulgated the Council of Europe Convention on Cybercrime (CECC) that “lays down guidelines for all governments wishing to develop legislation against cybercrime” and “provides a framework for international co-operation in this field.” Thirty-nine European countries signed the treaty, as well as Canada, Japan, South Africa and the US. This makes the CECC, which entered into force in July 2004, “the only binding international treaty on the subject to have been effectuated to date.”26

20 Council Resolution of 18 December 2009 on a collaborative European approach to Network and Information Security (2009/C 321/01).

21 European Commission, “A Digital Agenda for Europe”, Communication COM (2010) 245, 19 May 2010, http://ec.europa.eu/information_society/digital-agenda/documents/digital-agenda-communication-en.pdf.

22 Council Conclusions of 31 May 2010 on Digital Agenda for Europe (10130/10).23 COM(2010) 2020 and Conclusions of the European Council of 25/26 March 2010 (EUCO 7/10). 24 European Commission, “Proposal for a Directive of the European Parliament and of the Council on attacks against information

systems and repealing Council Framework Decision”, Brussels, 30 September 2010, http://www.statewatch.org/news/2010/sep/ceu-com-atacks-on-info-systems-com-517-10.pdf.

25 European Commission, “Proposal for a Regulation of the European Parliament and of the Council Concerning the European Network and Information Security Agency (ENISA)”, Brussels, 30 September 2010, http://www.coe.int/t/dghl/standardsetting/t-cy/Proposal%20new%20regulation%20ENISA.pdf.

26 Council of Europe, “Cybercrime: a threat to democracy, human rights and the rule of law”, http://www.coe.int/t/dc/files/themes/cybercrime/default_en.asp.


European Network and Information Security Agency

ENISA was established by the European Parliament and EU Council on 10 March 2004 “to help increase network and information security within the [EU] Community and to promote the emergence of a culture of network and information security for the benefit of citizens, consumers, businesses and public sector organizations.”

The Permanent Stakeholders Group (PSG) Vision for ENISA27 articulated in May 2006 sees ENISA as a centre of excellence in network and information security, a forum for NIS stakeholders, and a driver of information security awareness for all EU citizens. To this end, the following long-term actions for ENISA are stipulated in the PSG Vision (see figure 6):

figure6.Long-termactionforeNISa

Source: Paul Dorey and Simon Perry, eds. The PSG Vision for ENISA (Permanent Stakeholders Group, 2006), http://www.enisa.europa.eu/about-enisa/structure-organization/psg/files/psg-vision.

1. Cooperate and coordinate member States’ national network and information security authorities

Cooperation between national agencies is very low at the moment. Much good can be done by fostering increasing communication and cooperation between the national agencies, particularly in sharing best practice from advanced agencies to those who are just starting.

2. Cooperate with research institutes

ENISA’s purpose should be to direct basic research and targeted technical development in order to focus on the areas of greatest benefit to managing actual security risk in real-world systems. ENISA should not support a research agenda by itself, but rather work on aligning existing processes and priorities of existing programmes.

27 Paul Dorey and Simon Perry, eds., The PSG Vision for ENISA (Permanent Stakeholders Group, 2006), http://www.enisa.europa.eu/about-enisa/structure-organization/psg/files/psg-vision.


3. Cooperate with software and hardware vendors

Vendors of software and hardware are by definition competitors and it can be difficult for them to openly agree on mutual practices. ENISA could provide unbiased opinion and a forum for sensitive discussions, while maintaining the necessary hygiene against anti-competitive behaviour.

ENISA’s long-term vision should focus more on creating reliable network and information technologies that are resistant to worms and other problems, instead of extending current incremental security trends. This could be achieved with the promotion of techniques for developing correct, secure and reliable architectures and software.

4. Participate in standard-setting bodies

With an eye to identifying and publicizing initiatives of greatest value, ENISA should track and monitor NIS-related topics in standards-setting bodies, including following up the work of various available security certification and accreditation bodies.

5. Participate in legislative process through lobbying and opinions

ENISA should work to gain the position of a trusted consultant body to be heard early in the process of drafting and proposing directives and other legislation in NIS-related issues.

6. Work with user organizations

Often user organizations are not as well represented in legislative and standard-setting bodies as are vendors. ENISA could provide end user groups with an insight into standards work and an opportunity to influence such work.

7. Identify and promote best practices of member States to end user industry

ENISA should not only protect business interests, but also enhance end users’ confidence in the use of the Internet and digital media.

8. Work for a technical and political solution for identity management

Lack of confidence in the Internet is the main obstacle to large-scale consumer-oriented e-business. Being able to accurately check the identity of an owner of a site, an e-mail address, or some online service would be a huge step to renew and increase the common user’s trust in the Internet. Technical solutions in this area should be sought through industry-led processes, but ENISA could work towards EU-wide policies for authentication of online entities.

9. Balance the efforts for both “information” and “network” security issues

ENISA should communicate with the largest Internet and network service providers (ISPs/NSPs) to help them identify best practices for the benefit of businesses and consumers across Europe. This is important because ISPs/NSPs can play a key role in improving security in the Internet at large. Sufficient co-operation and coordination of the actions ISPs are taking is lacking at the moment.

Source: Abridged from Paul Dorey and Simon Perry, eds., The PSG Vision for ENISA (Permanent Stakeholders Group, 2006), http://www.enisa.europa.eu/about-enisa/structure-organization/psg/files/psg-vision.


ENISA is as a body of expertise, set up by the EU to carry out very specific technical, scientific tasks in the field of information security, working as a “European Community Agency”. The Agency also assists the European Commission in the technical preparatory work for updating and developing Community legislation in the field of NIS.

The main tasks of ENISA are focused on:

• Advising and assisting the Commission and the member States on information security and in their dialogue with industry to address security-related problems in hardware and software products

• Collecting and analysing data on security incidents in Europe and emerging risks• Promoting risk assessment and risk management methods to enhance the capability to

deal with information security threats• Awareness-raising and cooperation between different actors in the information security

field, notably by developing public-private partnerships with industry in this field

Information security strategy of the Republic of Korea

The Republic of Korea has successfully positioned itself as a global leader in ICT. The country is ranked third in ITU’s information technology development index and ranked 15th in the World Economic Forum’s network preparation index. And the country is currently ranked very high in the world’s major IT indices.

The Republic of Korea quickly moved towards the age of ubiquitous society that brings revolutionary changes in all aspects of daily life through advancement to an information society and the convergence of ICT and other industries. It was, however, followed by various adverse effects such as the gap between culture and technologies, and invasions of privacy.

In response to these adverse effects, the Korean government established a comprehensive strategy entitled the “Basic Strategy for Ubiquitous Information Security” in December 2006. The main aims of the strategy are to ensure that Koreans can safely use ICT services in all areas, including financial, educational and medical services; and that personal privacy is protected and a good information-use environment is implemented. The Basic Strategy for Ubiquitous Information Security expands the concept of information protection to encompass u-Security, u-Privacy, u-Trust and u-Clean. Also, by working from the perspective of user protection, it regards the need for information protection as an enabler rather than an obstacle in the ubiquitous society.

Since the mid-1980s, the Republic of Korea has pursued a national informatization plan, and it now seems that it has reached a stabilization period, but information security as a national goal is a comparably new focus that began in the mid-2000. Studies at that time revealed that the ICT system/financial scales, and the relevant infrastructure and research and development efforts were all very weak. Thus, the Korean government decided to establish key ICT infrastructure in a step-by-step manner through the pursuit of a comprehensive plan. In July 2008, the government launched the Mid-Term Comprehensive Plan for Information Security. This Plan is comprised of six agendas, as follows:

1. Improve the nation’s capability in handling cyberattacks2. Strengthen the protection of national critical information infrastructures3. Strengthen the personal information protection system4. Expand information security infrastructures5. Enhance the competitiveness of the information security industry6. Establish an information security culture


These six agendas can be broken down further into 18 main tasks and 73 detailed tasks. Under this plan, the government spelled out its goal of establishing a safe and trustworthy ubiquitous society by ensuring the reliability of the e-government services, eliminating the anxieties of citizens and achieving integrity in business activities.

As mobile devices becomes ubiquitous and “smarter” with multiple features and applications that users can use to perform various electronic services, this new mobile environment is also subject to daily security threats. In a preemptive response to those problems and challenges, the Korean government established various collaborative platforms for smartphone and mobile security countermeasures, and announced the Mobile Information Security Strategy in December 2010. The vision of this strategy is for the Republic of Korea to become the world leader in mobile security. Its goals include quality improvement in future mobile services and infrastructure security; privacy protection for mobile users; and mobile security infrastructure advancement. In the strategy, there are three focus areas and 10 main tasks (see figure 7).

figure7.themobileInformationSecurityStrategyoftherepublicofKorea

Information security strategy of Japan28

In keeping with its goal of becoming an “information security advanced nation”,29 Japan has articulated a detailed set of objectives, basic principles and projects in the area of information security. The Information Security Policy Council and National Information Security Center (NISC) are the core organizations overseeing all information security-related work in the country. In the area of research on cyberthreats, the Cyber Clean Center has been set up to analyse the characteristics of bots and formulate an effective and safe response method.

Japan’s information security strategy is divided into two parts: (1) the First National Strategy on Information Security, which is generally applied; and (2) Secure Japan YYYY. The First National Strategy on Information Security recognizes the need for all entities in an IT society “to participate in the creation of an environment for the safe use of IT.” The Strategy recognizes entities “that actually adopt and implement measures as a component of IT society.”30 These “implementing entities” are divided into four: the central and local governments, critical infrastructures, businesses and individuals. Each is required to establish its own roles and plans and operate them (see table 4).

28 This section is drawn from NISC, “Japanese Government’s Efforts to Address Information Security Issues: Focusing on the Cabinet Secretariat’s Efforts”, presentation, November 2007, http://www.nisc.go.jp/eng/.

29 Information Security Policy Council, “The First National Strategy on Information Security: Toward realization of a trustworthy society”, 2 February 2006, p. 5. http://www.nisc.go.jp/eng/pdf/national_strategy_001_eng.pdf.

30 Ibid., p. 11.


table4.rolesandplansofeachcategorybasedonthefirstNationalStrategyonInformationSecurity

Category Roles Plans

Central and local governments

Giving best practices for information security measures

Standard for Measures

Critical infrastructures

Ensuring a stable supply of their services as the basis of people’s social lives and economic activities

Critical Infrastructures Action Plan

Businesses

Implementing information security measures so as to be highly regarded by the market

Measures promoted by Ministries and Agencies

Individuals Raising awareness as main player of IT society

Measures promoted by Ministries and Agencies

Source: NISC, Japanese Government’s Efforts to Address Information Security Issues (November 2007), http://www.nisc.go.jp/eng/.

Practical policies from the First National Strategy on Information Security are as follows:

• Promoting information security technology – Developing technologies dedicated to government use and promoting technology development addressing the “Grand Challenge” of fundamental technology innovation with a long-term perspective;

• Promoting international cooperation and collaboration – Contributing to the establishment of international bases for information security and reassurance, and making Japan-led international contributions;

• Developing human resources – Developing human resources with practical skills and talents and wide-ranging abilities, and organizing a qualification system for information security; and

• Crime control and protection/remedial measure for rights and interests – Reinforcing cybercrime control and developing the relevant legal bases, and developing technology for the improvement of security in cyberspace.

Secure Japan YYYY is an annual plan for information security. Secure Japan 2007 included 159 information security implementation measures and the direction of plan-documentation for 24 priorities for 2007. These can be summarized as follows:

• Enhancement of information security measures for central government agencies;• Dissemination of measures for the bodies that are lagging behind in taking measures to

ensure information security, as well as for the general public; and • Intensive efforts toward strengthening the information security platform.

The Information Security Policy Council established the Second National Strategy on Information Security in February 2009. Entitled the “Information Security Strategy for Protecting the Nation (Mid-term Plan: 2010-2013)”, it includes updates and has prioritized the measures in the previous national strategy (see figure 8 for a summary of the strategy).


figure8.SummaryoftheInformationSecurityStrategyforProtectingtheNation(mid-termPlan:2010-2013)

The aims of the Information Security Strategy for Protecting the Nation include:

• Ensuring secure and safe lives of citizens• Establishing security and crisis management policies against cyberattacks• Contributing to economic growth through IT

The main categories of the Strategy are as follows:

A. Establishing response capabilities for large-scale cyberattacks

1. Improving response capabilities

2. Establishing and reinforcing the framework for information collection and sharing

B. Reinforcing information security policies to address the new environment

1. Reinforcing information security foundations to protect the nation• Reinforcing foundations of governmental agencies, critical infrastructure, and others

2. Reinforcing protection of citizens / IT users• Promoting security awareness• Providing information security consultation services• Promoting protection of personal information• Reinforcing defence against cybercrimes

3. Promoting international collaboration• Reinforcing collaboration with US, ASEAN and EU• Promoting information sharing at international conferences• Reinforcing functions of NISC as the national point of contact

4. Promoting research and development strategies• Strategically promoting information security related research and development

programmes• Developing human resources for information security• Establishing “information security governance”

5. Improving institutions associated with information security• Supporting institutions that contributes towards cyberspace security• Studying overseas institutions associated with information security


Based on the revised strategy, a 2010 annual plan for information security for was developed. It enumerates the detailed policies to be implemented from financial year 2010 to 2011, which includes 196 measures.

figure9.asummaryofthe2010annualPlanforInformationSecurity


1. How different are the information security activities in your country from those described above?

2. Are there information security activities being undertaken in the countries mentioned in this section that would not be applicable in or relevant to your country? If so, which ones and why would they not be applicable or relevant?

3.2 International Information Security Activities

Information security activities of the United Nations

At the UN-sponsored World Summit on the Information Society (WSIS)31 a declaration of principles and plan of action for effective growth of information society and closing the “information divide” were adopted. The plan of action identifies the following action lines:

• The role of governments and all stakeholders in the promotion of ICTs for development• Information and communication infrastructure as an essential foundation for an inclusive

information society• Access to information and knowledge• Capacity building• Building confidence and security in the use of ICTs• [Creating] an [e]nabling environment

31 World Summit on the Information Society, “Basic Information: About WSIS”, http://www.itu.int/wsis/basic/about.html.


• ICT applications in all aspects of life• Cultural diversity and identity, linguistic diversity and local content• Media• Ethical dimensions of the Information Society• International and regional cooperation32

The Internet Governance Forum (IGF)33 is the supporting organization of the UN for Internet Governance issues. It was established following the second phase of WSIS in Tunis to define and address issues related to Internet governance. The second IGF forum, held in Rio de Janeiro on 12-15 November 2007, focused on information security issues such as cyberterrorism, cybercrime and the safety of children on the Internet.

Information security activities of the OECD34

The Organisation for Economic Co-operation and Development (OECD) is a unique forum where governments of 30 market democracies work together with business and civil society to address the economic, social, environmental and governance challenges facing the globalizing world economy. Within the OECD, the Working Party on Information Security and Privacy (WPISP) works under the auspices of the Committee for Information, Computer and Communications Policy to provide analyses of the impact of ICT on information security and privacy, and to develop policy recommendations by consensus to sustain trust in the Internet economy.

WPISP work on information security: In 2002 the OECD issued the “Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security”35 to promote “security in the development of information systems and networks and the adoption of new ways of thinking and behaving when using and interacting within information systems and networks.”36

To share experiences and best practices in information security, the Global Forum on Information Systems and Network Security was held in 2003 and the OECD-APEC Workshop on Security of Information Systems and Networks in 2005.

A project to research methods on countering botnet from information security and privacy perspectives was proposed in 2010. A volunteer group has been formed to follow up on the project. The volunteer group consists of representatives from Australia, Canada, Germany, Japan, the Republic of Korea, the Netherlands, Sweden, Turkey, UK, USA and EU, and the Committees to the OECD (including the Business and Industry Advisory Committee, Civil Society Information Society Advisory Committee and the Internet Technical Advisory Committee). The Republic of Korea will be participating in this project and will also be providing financial support.

WPISP work on privacy: The “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data” issued in 1980 represents an international consensus on the handling of personal information in the public and private sectors. “Privacy Online: OECD Guidance on Policy and Practice” issued in 2002 focuses on privacy-enhancing technologies, online privacy policies, enforcement and redress, and the like in relation to e-commerce. At present, the WPISP is working on Privacy Law Enforcement Cooperation.

32 World Summit on the Information Society, “Plan of Action”, 12 December 2003, http://www.itu.int/wsis/docs/geneva/official/poa.html.

33 Internet Governance Forum, http://www.intgovforum.org.34 This section is drawn from WPISP, “Working Party on Information Security and Privacy” (May 2007).35 OECD, OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security (Paris, 2002),

http://www.oecd.org/dataoecd/16/22/15582260.pdf.36 Ibid., p. 8.


The project to develop indicators on information security and privacy for reliable and comparative statistics among OECD members is proposed in 2011. The Republic of Korea will contribute to this project through active participation and financial support.

Other work: In 1998 the OECD issued the “Guidelines on Cryptography Policy” and held the Ottawa Ministerial Declaration on Authentication for Electronic Commerce. A “Survey of Legal and Policy Frameworks for E-Authentication Services and e-Signatures in OECD Member Countries” was conducted from 2002 to 2003. In 2005, “The Use of Authentication across Borders in OECD Countries” was announced.

In 2004 “Biometric-Based Technologies” was written, and in 2005 the taskforce on spam was formed. Other ongoing work relates to digital identity management, malware, pervasive radio frequency identification (RFID), sensors and networks, and a common framework for implementing information security and privacy.

Information security activities of APEC37

The Asia-Pacific Economic Cooperation (APEC) is pursuing information security activities in the Asia-Pacific region through the Telecommunications and Information Working Group (TEL), which consists of three steering groups: the Liberalization Steering Group, ICT Development Steering Group, and Security and Prosperity Steering Group.

Especially since the Sixth APEC Ministerial Meeting on the Telecommunications and Information Industry held in Lima, Peru in June 2005, the Security and Prosperity Steering Group has stepped up discussions on cybersecurity and cybercrime. The APEC Cyber-Security Strategy, which includes strengthening consumer trust in the use of e-commerce, serves to unify the efforts of various economies. These efforts include enacting and implementing laws on cybersecurity that are consistent with the UN General Assembly Resolution 55/6338 and the Convention on Cybercrime.39 The TEL Cybercrime Legislation Initiative and Enforcement Capacity Building Project will support institutions in implementing new laws.

APEC members are also working together to implement CERTs as an early warning defence system against cyberattacks. The Republic of Korea is providing training to developing country members, and guidelines for establishing and operating CERTs have been developed.

The protection of SMEs and home users from cyberattacks and viruses is considered a priority and a number of tools have been developed for this purpose. Information is being provided on how to use the Internet securely, and on safety issues relating to wireless technologies and safe e-mail exchanges.

Reducing the criminal misuse of information through information sharing, development of procedures and mutual assistance laws, and other measures to protect business and citizens, will continue to be a priority for the APECTEL. As part of its agenda on security issues, the APECTEL approved in 2007 the “Guide on Policy and Technical Approach against Botnet” and the Workshop on Cyber Security and Critical Information Infrastructure.

37 This section is drawn from APEC, “Telecommunications and Information Working Group”, http://www.apec.org/Home/Groups/SOM-Steering-Committee-on-Economic-and-Technical-Cooperation/Working-Groups/Telecommunications-and-Information.

38 “Combating the criminal misuse of information”, which recognizes that one of the implications of technological advances is increased criminal activity in the virtual world.

39 An Agreement undertaken in Budapest that aims to uphold the integrity of computer systems by considering as criminal acts any action that violates said integrity. See http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm.


As endorsed by the APEC Counter-Terrorism Task Force (CTTF) and APECTEL in 2009, the “Third APEC Seminar on the Protection of Cyberspace to Better Defend Our Economies through IT Security” was held in Seoul, Republic of Korea on 7-8 September 2011 with 86 of delegates, moderator and speakers from 16 economies. The Seminar was hosted by the Ministry of Foreign Affairs and Trade, Ministry of Public Administration and Security, and the KCC, and sponsored by the Korea Internet & Security Agency (KISA).

The Seminar is a follow-up activity to the two previous CTTF-TEL joint projects, namely the “APEC Training Program for a Strengthened Cyber Security in the Asia-Pacific Region” held on 15-30 November 2007, in Seoul, and the “APEC Seminar on Protection of Cyberspace from Terrorist Use and Attacks” held on 26-27 June 2008, in Seoul. Building on the outcomes of the training programme and the first seminar, the third seminar brought together government officials and experts from APEC member economies to address various cybersecurity issues including protection of critical infrastructure from terrorist attacks.

Information security activities of the ITU40

The ITU is the leading UN agency for ICTs. Based in Geneva, Switzerland, the ITU has 191 member States and more than 700 sector members and associates.

The ITU’s role in helping the world communicate spans three core sectors. The Radiocommunication Sector (ITU-R) is focused on managing the international radio frequency spectrum and satellite orbit resources. The Telecommunication Standardization Sector (ITU-T) focuses on standardization of information-communication networks and services. The Development Sector (ITU-D) was established to help spread equitable, sustainable and affordable access to ICT as a means of stimulating broader social and economic development. The ITU also organizes telecommunications-related events and was the lead organizing agency of the WSIS.

A fundamental role of ITU following WSIS is to build confidence and security in the use of ICTs. At WSIS, Heads of States and world leaders entrusted the ITU to take the lead in coordinating international efforts in the field of cybersecurity, as the sole facilitator of Action Line C.5, “Buidling confidence and security in the use of ICTs”. Cybersecurity is one of the key focus areas under ITU-D. The focus areas of WSIS Action Line C.5 are:

• CIIP• Promotion of a global culture of cybersecurity• Harmonizing national legal approaches, international legal coordination and enforcement• Countering spam• Developing watch, warning and incident response capabilities• Information sharing of national approaches, good practices and guidelines• Privacy, data and consumer protection

The ITU Global Cybersecurity Agenda (GCA) is an ITU framework for international cooperation aimed at proposing solutions to enhance confidence and security in the information society. GCA has five strategic pillars: legal framework, technical measures, organization structures, capacity building and international cooperation. The strategies are elaborated through the following goals:

• Develop a model cybercrime legislation that is globally applicable and interoperable with existing national/regional legislative measures

40 This section is drawn from ITU’s website, http://www.itu.int.


• Create national and regional organizational structures and policies on cybercrime• Establish globally accepted minimum security criteria and accreditation schemes for software

applications and systems• Create a global framework for watch, warning and incident response to ensure cross-border

coordination of initiatives• Create and endorse a generic and universal digital identity system and the necessary

organizational structures to ensure the recognition of digital credentials for individuals across geographical boundaries

• Develop a global strategy to facilitate human and institutional capacity building to enhance knowledge and know-how across sectors and in all of the above-mentioned areas

• Advise on a potential framework for a global multi-stakeholder strategy for international cooperation, dialogue and coordination in all of the above-mentioned areas

The GCA has fostered initiatives such as the Child Online Protection Initiative through its partnership with IMPACT and with the support of leading global players.

Another initiative is the ITU Cybersecurity Gateway that aims to provide an easy-to-use and interactive information resource on initiatives that are related to national and international cybersecurity. It is available to citizens, governments, businesses and international organizations. Services provided by the Gateway include information sharing, watch and warning, laws and legislation, privacy and protection, and industry standards and solutions.

The ITU-D also oversees the ITU Cybersecurity Work Programme that was established to help countries develop technologies for high-level security of cyberspace. It provides assistance related to the following: • Establishing national strategies and capabilities for cybersecurity and CIIP• Establishing appropriate cybercrime legislation and enforcement mechanisms• Establishing watch, warning and incident response capabilities• Countering spam and related threats• Bridging the security-related standardization gap between developing and developed

countries• Establishing an ITU Cybersecurity/CIIP Directory, contact database and Who’s Who

publication• Setting cybersecurity indicators• Fostering regional cooperation activities• Information sharing and supporting the ITU Cybersecurity Gateway• Outreach and promotion of related activities

Other ITU-D cybersecurity-related activities are joint activities with StopSpamAlliance.org; regional capacity building activities on cybercrime legislation and enforcement; and development and distribution of resources and toolkits, including a botnet mitigation toolkit,41 a toolkit for model cybercrime legislation for developing countries, a national cybersecurity self-assessment toolkit,42 and cybersecurity/cybercrime publications and papers.43

The ITU-T sector is also contributing to the area of cybersecurity through its development of over 70 security-related standards (ITU-T Recommendations). Recently at a cybersecurity symposium, participants asked ITU-T to accelerate its work in this area, and in response, ITU-T is now giving added emphasis to the development of security standards. To assist in this process,

41 Suresh Ramasubramanian and Robert Shaw, “ITU Botnet Mitigation Project: Background and Approach”, ITU presentation, September 2007, http://www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-botnet-mitigation-toolkit.pdf.

42 ITU-D Applications and Cybersecurity Division, “ITU National Cybersecurity / CIIP Self-Assessment Tool”, ITU, http://www.itu.int/ITU-D/cyb/cybersecurity/projects/readiness.html.

43 ITU-D Applications and Cybersecurity Division, “Toolkits, Papers and Publications”, ITU, http://www.itu.int/ITU-D/cyb/cybersecurity/.


ITU-T developed an “ICT Security Standards Road Map” that brings together information about existing standards, standards under development and future areas of security standards work.44

Standardization work is carried out by the technical study groups (SGs) in which representatives of the ITU-T membership develop recommendations (standards) for the various fields of international telecommunications. The SGs drive their work primarily in the form of study questions. Each question addresses technical studies in a particular area of telecommunication standardization.

Within ITU-T, Study Group 17 (SG17) 45 coordinates security-related work across all study groups.

SG17 is responsible for studies relating to security including cybersecurity, countering spam and identity management. It is also responsible for the application of open system communications including directory and object identifiers, and for technical languages, the method for their usage and other issues related to the software aspects of telecommunication systems.

The SG17 structure for study period 2009-2012 is as follows:

• Working Party 1. Network and information securityx Question 1 – Telecommunications systems security projectx Question 2 – Security architecture and frameworkx Question 3 – Telecommunications information security managementx Question 4 – Cybersecurityx Question 5 – Countering spam by technical means

• Working Party 2. Application securityx Question 6 – Security aspects of ubiquitous telecommunication servicesx Question 7 – Secure application services x Question 8 – Service oriented architecture security x Question 9 – Telebiometrics

• Working Party 3. Identity management and languages x Question 10 – Identity management architecture and mechanismsx Question 11 – Directory services, directory systems, and public key/attribute

certificatesx Question 12 – Abstract Syntax Notation One (ANS.1), Object Identifiers and

associated registrationx Question 13 – Formal languages and telecommunication software x Question 14 – Testing languages, methodologies and framework x Question 15 – Open Systems Interconnection

One key reference for security standards in use today is the ITU-T Recommendation X.509 for electronic authentication over public networks. X.509 is used for designing applications related to public key infrastructure, and is widely used in a wide range of applications from securing the connection between a browser and a server on the Web to providing digital signatures that enable e-commerce transactions. Another achievement of SG17 is Recommendation X.805, which will give telecommunications network operators and enterprises the ability to provide an end-to-end architecture description from a security perspective.46

44 ITU, “ICT Security Standards Roadmap”, http://www.itu.int/ITU-T/studygroups/com17/ict/index.html.45 ITU-T Study Group 17 (Study period 2009-2012), http://www.itu.int/ITU-T/studygroups/com17/index.asp.46 ITU, “Study Group 17 at a Glance”, http://www.itu.int/net/ITU-T/info/sg17.aspx.


SG 17 is also the place to study technical languages and description techniques. An example is the formal language ASN.1, an important component for protocol specification or systems design. ASN.1 is an extremely important part of today’s networks. ASN.1 is used, for example, in the signaling system for most telephone calls, package tracking, credit card verification and digital certificates and in many of the most used software programs. And today’s work is progressing towards the development of unified modeling language profiles for ITU-T languages.47

Information security activities of the ISO/IEC

An Information Security Management System (ISMS) is, as the name suggests, a system for managing information security. It consists of processes and systems to ensure confidentiality, integrity and availability of information assets while minimizing security risks. ISMS certification is increasingly popular around the world, with 2005 as a turning point in the history of internationally standardized ISMS due to the release of two documents: IS 27001 states the requirements for establishing an ISMS, and IS 17799: 2000, published as IS 17799:2005, stipulates basic controls for implementing an ISMS.

The de facto ISMS standard was the BS 7799, which was first developed by the British Standards Institution (BSI) in 1995 as the code of practice for information security management. In 1998, as the requirements specification was developed based on this standard, “the code of practice for information security management” was changed to Part 1 and the requirements specification became Part 2. Part 1 specifies controls for information security management, while Part 2 states the requirements for establishing an ISMS and describes the information security process (Plan-Do-Check-Act Cycle) for the continuous improvement of the base of risk management.

Part 1 was established as IS 17799 by the ISO/IEC JTC 1/SC27 WG1 in 2000. Since then, IS 17799 has been reviewed (with over 2,000 comments) and revised, and the final version was registered to the international standard in November 2005. IS 17799: 2000 provides 126 controls within 10 domains. IS 17799 revised in 2005 provides 11 administrative control domains and 133 controls.

Part 2 of BS 7799 established in 1999 had been used as the standard for ISMS certification. It was revised in September 2002 to align with ISO 9001 and ISO 14001, among others. The ISO adopted BS7799 Part 2: 2002 through the fast track method for coping with requests for the international standardized ISMS and registered it as the international standard ISO27001 by revising it slightly within a short time. The prominent changes made include adding content about effectiveness and modifying the appendix.

As the two important documents related to ISMS have been standardized internationally, a family of international security standards has emerged under the 27000 serial number scheme, which is the same as the other management systems (Quality business: 9000 series, Environmental management: 14000 series). IS 27001, the revised version of IS 17799:2005, embodies the requirements for establishing an ISMS and IS17799:2005, which includes the basic controls for implementing ISMS, has been changed to IS27002 in 2007. Guidance for the implementation of an ISMS, a standard for information security risk management, and information security management measurement developed by JTC1 SC27 are in the 27000 series.

Figure 10 shows the family of ISMS-related standards. ISMS certification activities are gaining momentum and it is expected that ISMS standards or guidelines that are appropriate to specific industries are being developed based on the common ISMS for general systems. An example is the effort to develop ISMS guidelines reflecting the characteristics of the communications industry.

47 Ibid.


figure10.ISo/Iec27000family


Which of the information security activities being spearheaded by international organizations have been or are being adopted in your country? How are they being implemented?

Test Yourself

1. What are the similarities among the information security activities being undertaken by the countries included in this section? What are their differences?

2. What are the information security priorities of the international organizations included in this section?


4. INformatIoNSecurItymethodoLogy

This section aims to describe internationally used administrative, physical and technical information security methodology.

4.1 Different Aspects of Information Security

Information security methodology aims to minimize damage and maintain business continuity considering all possible vulnerabilities and threats to information assets. To guarantee business continuity, information security methodology seeks to ensure the confidentiality, integrity and availability of internal information assets. This involves the application of risk assessment methods and controls. Essentially, what is needed is a good plan that covers the administrative, physical and technical aspects of information security.

Administrative aspect

There are many ISMSs that focus on the administrative aspect. ISO/IEC27001 is one of the most commonly used.

ISO/IEC27001, the international ISMS standard, is based on BS7799, which was established by BSI. BS7799 specifies requirements to implement and manage an ISMS and common standards applied to security standards of various organizations and effective security management. Part 1 of BS7799 describes the required security activities based on the best practices of security activities in organizations. Part 2, which became the present ISO/IEC27001, suggests the minimum requisites needed for ISMS operation and assessment of security activities.

The security activities in ISO/IEC27001 consist of 133 controls and 11 domains (see table 5).

table5.controlsinISo/Iec27001

Domains ItemsA5. Security policyA6. Organization of information securityA7. Asset managementA8. Human resources securityA9. Physical and environmental securityA10. Communications and operations managementA11. Access controlA12. Information systems acquisition, development and maintenanceA13. Information security incident managementA14. Business continuity managementA15. Compliance


ISO/IEC27001 adopts the Plan-Do-Check-Act process model, which is applied to structure all ISMS processes. In ISO/IEC27001, all evidence of the ISMS assessment should be documented; the certification should be externally audited every six months; and the whole process should be repeated after three years in order to continuously manage the ISMS.

figure11.Plan-do-check-actprocessmodelappliedtoISmSprocesses

Source: ISO/IEC JTC 1/SC 27.

Security controls should be planned considering the security requirements. All human resources, including suppliers, contractors, customers and outside specialists, should participate in these activities. Setting up security requirements is based on the following three factors:

• Risk assessment• Legal requirements and contract clauses• Information processes for operating the organization

Gap analysis refers to the process of measuring the current information security level and establishing the future direction of information security. The result of the gap analysis is derived from the asset owners’ answers to the 133 controls and 11 domains. Once deficient areas are identified through the gap analysis, the appropriate controls per area can be established.

Risk assessment is divided into the assessment of asset value and assessment of threats and vulnerabilities. Asset value assessment is a quantitative valuation of information assets. The threat assessment involves rating threats to the confidentiality, integrity and availability of information. The example below shows the computations involved in risk assessment.

Asset name Asset value

Threat Vulnerability RiskC I A C I A C I A

Asset name #1 2 3 3 1 3 1 1 8 6 5

• Asset Value + Threat + Vulnerability = Risk• Confidentiality: Asset Value(2) + Threat(3) + Vulnerability(3) = Risk(8)• Integrity: Asset Value(2) + Threat(3) + Vulnerability(1) = Risk(6)• Availability: Asset Value(2) + Threat(1) + Vulnerability(1) = Risk(5)


Application of controls: Each risk value will be different according to the result of the risk assessment. Decisions are needed to apply the appropriate controls to the differently valued assets. Risks should be divided into acceptable risks and unacceptable risks according to the Degree of Assurance criterion. Controls will need to be applied to information assets with unacceptable risk. The controls are applied based on the ISO/IEC controls, but it is more effective to apply controls depending on the real state of the organization.

Each country has an ISO/IEC27001 certification body. Table 6 lists the number of certificates by country.

table6.NumberofISmScertificatespercountry

Country Number of Certificates Country Number of

Certificates Country Number of Certificates

Japan 3862 Bulgaria 18 Macau 3 India 526 Croatia 17 Qatar 3 China 492 Netherlands 16 Albania 2

UK 477 Philippines 15 Argentina 2 Taiwan 431 Iran 14 Belgium 2 Germany 174 Pakistan 14 Bosnia

Herzegovina 2

Republic of Korea

106 Viet Nam 14 Cyprus 2

Czech Republic 103 Iceland 13 Isle of Man 2 USA 101 Indonesia 13 Kazakhstan 2 Spain 75 Saudi Arabia 13 Luxembourg 2 Hungary 68 Colombia 11 Macedonia 2 Italy 68 Kuwait 11 Malta 2 Poland 58 Norway 10 Ukraine 2 Malaysia 55 Portugal 10 Mauritius 2 Ireland 42 Russian

Federation 10 Armenia 1

Thailand 41 Sweden 10 Bangladesh 1 Austria 39 Canada 9 Belarus 1 Romania 35 Switzerland 9 Denmark 1 Hong Kong 32 Bahrain 8 Ecuador 1 Greece 30 Egypt 5 Jersey 1 Australia 29 Oman 5 Kyrgyzstan 1 Singapore 29 Peru 5 Lebanon 1 Mexico 27 South Africa 5 Moldova 1 France 26 Sri Lanka 5 New Zealand 1 Turkey 24 Dominican

Republic 4 Sudan 1

Brazil 23 Lithuania 4 Uruguay 1 Slovakia 23 Morocco 4 Yemen 1 UAE 20 Chile 3 Slovenia 19 Gibraltar 3 Total 7 346

Note: The number of certificates shown here are as of 19 September 2011.Source: International Register of ISMS Certificates, “Number of Certificates per Country”, ISMS International User Group Ltd., http://www.iso27001certificates.com.


Physical aspect

At present there is no international physical ISMS. Federal Emergency Management Agency (FEMA) 426,48 which is the standard for physical ISMS in the US and which many countries use as a methodology, will be described here instead.

FEMA 426 provides guidelines for protecting buildings against terrorist attacks. It is directed to “the building science community of architects and engineers, to reduce physical damage to buildings, related infrastructure, and people caused by terrorist assaults.”49 A related series of guidelines are FEMA 427 (“A Primer for the Design of Commercial Buildings to Mitigate Terrorist Attacks”), FEMA 428 (“A Primer to Design Safe School Projects in Case of Terrorist Attacks”), FEMA 429 (“Insurance, Finance, and Regulation Primer for Terrorism Risk Management in Buildings”), FEMA 430 (architect), and FEMA 438 (course).

FEMA 426 is not directly related to information security, but it is able to prevent leakage, loss or destruction of information due to physical attacks on buildings. In particular, FEMA 426 is closely related to the business continuity plan that is a component of administrative security. By observing FEMA 426, the physical aspect of the business continuity plan can be protected.

Technical aspect

There is no ISMS for technical aspects. International common evaluation standards such as the Common Criteria (CC) certification may be used instead.

Common Criteria certification50

CC certification has commercial roots. It was established to address concerns about differences in security levels of IT products from different countries. The international standard was established for the evaluation of IT products by Canada, France, Germany, the UK and the US.

Specifically, the CC presents requirements for the IT security of a product or system under the distinct categories of functional requirements and assurance requirements. CC functional requirements define desired security behaviour. Assurance requirements are the basis for gaining confidence that the claimed security measures are effective and implemented correctly. CC security functions consist of 134 components from 11 classes made up of 65 families. The assurance requirements refer to 81 components from eight classes made up of 38 families.

Security functional requirement (SFR): The SFRs specify all security functions for the Target of Evaluation (TOE). Table 7 lists the classes of security functions included in SFRs.

table7.compositionofclassinSfrs

Classes Details

FAU Security auditRefers to functions that include audit data protection, record format and event selection, as well as analysis tools, violation alarms and real-time analysis

FCO Communication Describes requirements specifically of interest for TOEs that are used for the transport of information

48 FEMA, “FEMA 426 - Reference Manual to Mitigate Potential Terrorist Attacks Against Buildings”, http://www.fema.gov/plan/prevent/rms/rmsp426.

49 Ibid.50 Common Criteria, http://www.commoncriteriaportal.org.


Classes Details

FCS Cryptographic support

Specifies the use of cryptographic key management and cryptographic operation

FDP User data protection Specifies requirements related to protecting user data

FIA Identification and authentication

Addresses the requirements for functions to establish and verify a claimed user identity

FMT Security management

Specifies the management of several aspects of the TOE Security Functions (TSF): security attributes, TSF data and functions

FPR Privacy

Describes the requirements that could be levied to satisfy the users’ privacy needs, while still allowing the system flexibility as far as possible to maintain sufficient control over the operation of the system

FPT Protection of the TSF

Contains families of functional requirements that relate to the integrity and management of the mechanisms that constitute the TSF and the integrity of TSF data

FRU Resource utilization

Contains the availability of required resources such as processing capability and/or storage capacity

FTA TOE access Specifies functional requirements for controlling the establishment of a user’s session

FTP Trusted path/channels

Provides requirements for a trusted communication path between users and the TSF

Source: Common Criteria, Common Criteria for Information Technology Security Evaluation, July 2009, CCMB-2009-07-001.

Security assurance components (SACs): The CC philosophy requires the articulation of security threats and commitments to organizational security policy through appropriate and adequate security measures. The measures to be adopted should help identify vulnerabilities, reduce the likelihood of being exploited and reduce the extent of damage in the event that a vulnerability is exploited. 51 Table 8 lists the classes included in SACs.

table8.compositionofclassinSacs

Classes Details

APE Protection Profile (PP) evaluation

This is required to demonstrate that the PP is sound and internally consistent and, if the PP is based on one or more other PPs or on packages, that the PP is a correct instantiation of these PPs and packages.

ASE Security Target (ST) evaluation

This is required to demonstrate that the ST is sound and internally consistent and, if the ST is based on one or more PPs or packages, that the ST is a correct instantiation of these PPs and packages.

ADV Development

This provides information about the TOE. The knowledge obtained is used as the basis for conducting vulnerability analysis and testing upon the TOE, as described in the ATE and AVA classes.

51 Common Criteria, Common Criteria for Information Technology Security Evaluation, July 2009, CCMB-2009-07-001.


Classes Details

AGD Guidance documents

For the secure preparation and operation of the TOE, it is necessary to describe all relevant aspects for the secure handling of the TOE. The class also addresses the possibility of unintended incorrect configuration or handling of the TOE.

ALC Life cycle support

In the product life cycle, which includes configuration management (CM) capabilities, CM scope, delivery, development security, flaw remediation, life cycle definition, tools and techniques, it is distinguished whether the TOE is under the responsibility of the developer or the user.

ATE TestsThe emphasis in this class is on confirmation that the TSF operates according to its design descriptions. This class does not address penetration testing.

AVA Vulnerability assessment

The vulnerability assessment activity covers various vulnerabilities in the development and operation of the TOE.

ACO Composition

Specify assurance requirements that are designed to provide confidence that a composed TOE will operate securely when relying upon security functionality provided by previously evaluated software, firmware or hardware components.

Source: Common Criteria, Common Criteria for Information Technology Security Evaluation, July 2009, CCMB-2009-07-001.

Evaluation method of CC

1. Evaluation of PP (APE): The PP describes implementation-independent sets of security requirements for categories of TOE and contains a statement of the security problem that a compliant product is intended to solve. It specifies CC functional and assurance requirements, and provides a rationale for the selected functional and assurance components. It is typically created by a consumer or consumer community for IT security requirements.

2. Evaluation of ST (ASE): The ST is the basis for the agreement between the TOE developers, consumers, evaluators and evaluation authorities as to what security the TOE offers, and the scope of the evaluation. The audience for an ST may also include those managing, marketing, purchasing, installing, configuring, operating and using the TOE. An ST contains some implementation-specific information that demonstrates how the product addresses the security requirements. It may refer to one or more PPs. In this case, the ST must fulfil the generic security requirements given in each of these PPs and may define further requirements.

3. Others: Evaluation of ADV, AGD, ALC, ATE, AVA and ACO.

Common Criteria Recognition Arrangement

The Common Criteria Recognition Arrangement (CCRA) was organized for approving CC certifications among nations. It aims to ensure that CC evaluations are performed to consistent standards, eliminate or reduce duplicate evaluations of IT products or protection profiles, and improve global market opportunities for the IT industry by approving certification among member nations.

The CCRA consists of 26 member nations, of which 15 are Certificate Authorizing Participants (CAPs) and 11 are Certificate Consuming Participants (CCPs). CAPs are producers of evaluation


certificates. They are the sponsors of a compliant certification body operating in their own country and they authorize the certificates issued. A country must be a member of the CCRA as CCP for a minimum period of two years before it can apply to become a CAP. CCPs are the consumers of evaluation certificates. Although they may not maintain an IT security evaluation capability, they have an expressed interest in the use of certified/validated products and protection profiles. To become a member of the CCRA, a country should submit a written application to the Management Committee.

figure12.caPsandccPs

4.2 Examples of Information Security Methodology

US National Institute of Standards and Technology

Based on FISMA, the US National Institute of Standards and Technology (NIST) has developed guidelines and standards for strengthening the security of information and information systems that Federal institutes are able to use. The guidelines and standards aim to:

• Provide a specification for minimum security requirements by developing standards that can be used for categorization of Federal information and information systems;

• Enable security categorization of information and information systems;• Select and specify security controls for information systems supporting the executive

agencies of the Federal government; and• Verify the efficiency and effectiveness of security controls on vulnerabilities.

Guidelines related to FISMA are published as special publications and Federal Information Processing Standards Publications. There are two series of special publications: the 500 series for information technology and the 800 series for computer security. Figure 13 shows the process that US government agencies follow to establish their security plans based on this standard.


figure13.Securityplanningprocessinput/output

United Kingdom (BS7799)

As mentioned earlier, BSI analyses the security activities of organizations in the UK and gives BS7799 certification, which has now been developed to ISO27001 (BS7799 part 2) and ISO27002 (BS7799 part 1). Figure 14 shows the procedure that is followed.

figure14.BS7799certificationprocess


Japan (from ISMS Ver2.0 to BS7799 Part 2: 2002)

ISMS Ver2.0 of the Japan Information Processing Development Corporation has operated in Japan since April 2002. It has been replaced recently by BS7799 Part 2: 2002.

The rate of applications for certification has increased since the central government has promoted information security planning. Local governments have provided organizations with grant money to obtain ISMS certification. However, ISMS Ver2.0 merely emphasizes the administrative aspect and does not include the technical aspect of information security. Moreover, most organizations are interested only in being certified and not necessarily in improving their information security activities.

Figure 15 shows the ISMS certification system in Japan.

figure15.ISmScertificationinJapan

Republic of Korea (KISA ISMS)

Since 2002, KCC and KISA have introduced and operated an ISMS certification programme. KCC and KISA have made great effort to promote the ISMS certification programme, and today it is considered a very successful programme. The ISMS certification scheme and procedures are shown in figures 16 and 17, respectively. In 2011 the number of ISMS certificates reached 114. As the number has increased, the information security level of each certified organizations has been expected to increase dramatically. The certified organizations include the leading companies in various business fields such as KT, Korean Air, NHN, Daum, among others.


figure16.ISmScertificationschemeintherepublicofKorea

figure17.ISmScertificationproceduresintherepublicofKorea

• Mangetherelevantlaws,regulationsandpolicy

• SupportbudgetforISMS

• Reviewandapprovetheresultsofassessment

• ComposedofinformationSecurityexperts

• Performcertificationassessment

• Produceassessmentreport

• ComposedofKISAstaff

memberandexternalexperts

• Developcertificationcriteriaandguidelines

• OperateandimproveISMScertification

program

• Issue/managecertificates

• Providetechnicaladvices

• Conductfollow-upassessment


Germany (IT Baseline Protection Qualification)

Germany’s BSI (Bundesamt fűr Sicherheit in der Informationstechnik) is the national agency for information security. It provides IT security services to the German government, cities, organizations and individuals in Germany.

BSI has established the IT Baseline Protection Qualification based on the international standard, ISO Guide 25[GUI25] and the European standard, EN45001, which is acknowledged by the European Committee for IT Testing and Certification. The certification types include IT Baseline Protection Certificate, Self-declared (IT Baseline Protection higher level) and Self-declared (IT Baseline Protection entry level).

In addition, the Baseline protection manual (BPM) and sub-manual BSI Standard Series:100-X have been developed. The matter includes: BSI Standard 100-1 ISMS, BSI Standard 100-2 BPM Methodology and BSI Standard 100-3 Risk analysis.52

Others

Table 9 lists other existing ISMS certifications.

table9.ISmScertificationofothercountries

Certification Institutes Standards

Canada Communications Security Establishment

MG-4 A Guide to Certification & Accreditation for Information Technology Systems

Taiwan Bureau of Standards, Meteorology and Inspection CNS 17799 & CNS 17800

Singapore Information Technology Standards Committee

SS493 : Part1 (IT Security Standard Framework)& SS493 : Part 2 (Security Services) under development

52 Antonius Sommer, “Trends of Security Strategy in Germany as well as Europe”, presentation made at the 2006 Cyber Security Summit, Seoul, Republic of Korea, 10 April 2006, http://www.unapcict.org/ecohub/resources/trends-of-security-strategy-2.


5.0 ProtectIoNofPrIvacy

This section aims to: • Trace changes in the concept of privacy;• Describe international trends in privacy protection; and • Give an overview and examples of Privacy Impact Assessment.

5.1 The Concept of Privacy

Personal information is any information relating to an identifiable individual53 or an identified or identifiable natural person.54 It includes information such as an individual’s name, phone number, address, e-mail address, licence number of an automobile, physical characteristics (facial dimensions, fingerprints, handwriting etc.), credit card number and family relationship.

Inappropriate access to and collection, analysis and use of an individual’s personal information has an effect on the behaviour of others towards that individual, and ultimately has a negative impact on his/her social standing, property and safety. Therefore, personal information should be protected from improper access, collection, storage, analysis and use. In this sense, personal information is the subject of protection.

When the subject of protection is the right to personal information rather than the personal information itself, this is the concept of privacy. There are five ways to explain the right to privacy:

• The right to be free from unwanted access (e.g. physical access, access via short messaging service)

• The right not to allow personal information to be used in an unwanted way (e.g. sale of information, exposure of information, matching)

• The right not to allow personal information to be collected by others without one’s knowledge and consent (e.g. through the use of CCTV and cookies)

• The right to have personal information expressed accurately and correctly (integrity)• The right to get rewarded for the value of one’s own information

The passive concept of privacy includes the right to be let alone and the natural right related to the dignity of human beings. It is connected to the law prohibiting trespass.

The active concept of privacy includes self control of personal information or the right to manage/control personal information positively, including the right to make corrections to effects resulting from incorrect personal information.

53 Cabinet Office, Privacy and Data-sharing: The way forward for public services (April 2002), http://ctpr.org/wp-content/uploads/2011/03/Privacy-and-data-sharing-the-way-forward-for-public-services-2002.pdf.

54 EurLex, “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data”, http://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!DocNumber&lg=en&type_doc=Directive&an_doc=1995&nu_doc=46.


5.2 Trends in Privacy Policy

OECD guidelines on protection of privacy

In 1980, the OECD adopted the “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,” also known as the “OECD Fair Information Practices.” In 2002 “Privacy Online: OECD Guidance on Policy and Practice” was announced.55 The Guidelines apply to personal data, whether in the public or private sectors, that pose a danger to privacy and individual liberties because of the manner in which such information is processed, or because of its nature or the context in which it is used. The OECD principles identified in the Guidelines outline the rights and obligations of individuals in the context of automated processing of personal data, and the rights and obligations of those who engage in such processing. Furthermore, the basic principles outlined in the Guidelines are applicable at both the national and international levels.

The eight principles that make up the OECD guidelines on privacy protection are:

1. Collection limitation principle

There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

2. Data quality principle

Personal data should be relevant to the purposes for which they are to be used and, to the extent necessary for those purposes, should be accurate, complete and up-to-date.

3. Purpose specification principle

The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.

4. Use limitation principle

Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with the purpose specification principle except with the consent of the data subject or by the authority of law.

5. Security safeguards principle

Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.

6. Openness principle

There should be a general policy of openness about developments, practices and policies relating to personal data. Means should be readily available for establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.

55 OECD, “Privacy Online: OECD Guidance on Policy and Practice,” http://www.oecd.org/document/49/0,3343,en_2649_34255_19216241_1_1_1_1,00.html.


7. Individual participation principle

An individual should have the right to:

a. Obtain from a data controller confirmation of whether the data controller has data relating to him/her;

b. Receive communication about data relating to him/her within a reasonable time, at a charge, if any, that is not excessive, in a reasonable manner, and in a form that is readily intelligible to him/her;

c. Be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and

d. To challenge data relating to him/her and, if the challenge is successful, to have the data erased, rectified, completed or amended.

8. Accountability principle

A data controller should be accountable for complying with measures that give effect to the principles stated above.56

UN guidelines related to protection of privacy

Since the late 1960s, the world has paid attention to the effect on privacy of automated information processing. United Nations Educational, Scientific and Cultural Organization (UNESCO) in particular has shown interest in privacy and privacy protection since the “UN Guidelines for the Regulation of Computerized Personal Data File” was adopted by the General Assembly in 1990.

The UN Guidelines are applied to documents (papers) as well as computerized data files in the public or private sectors. The Guidelines establish a series of principles concerning minimum guarantees to be provided for national legislation or in the internal laws of international organizations, as follows:

1. Principle of lawfulness and fairness

Information about persons should not be collected or processed in unfair or unlawful ways, nor should it be used for ends contrary to the purposes and principles of the Charter of the United Nations.

2. Principle of accuracy

Persons responsible for the compilation of files or those responsible for keeping them have an obligation to conduct regular checks on the accuracy and relevance of the data recorded and to ensure that they are kept as complete as possible in order to avoid errors of omission, and that they are kept up to date regularly or when the information contained in a file is used, as long as they are being processed.

3. Principle of purpose-specification

The purpose that a file is to serve and its utilization in terms of that purpose should be specified, legitimate and, when it is established, receive a certain amount of publicity or be brought to the attention of the person concerned, in order to make it possible subsequently to ensure that:

56 To read the entire document where these principles are listed, see the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html.


a. All the personal data collected and recorded remain relevant and adequate to the purposes so specified;

b. None of the said personal data is used or disclosed, except with the consent of the person concerned, for purposes incompatible with those specified; and

c. The period for which the personal data are kept does not exceed that which would enable the achievement of the purposes so specified.

4. Principle of interested-person access

Everyone who offers proof of identity has the right to know whether information concerning him/her is being processed and to obtain it in an intelligible form, without undue delay or expense, and to have appropriate rectifications or erasures made in the case of unlawful, unnecessary or inaccurate entries and, when it is being communicated, to be informed of the addressees.

5. Principle of non-discrimination

Subject to cases of exceptions restrictively envisaged under principle 6, data likely to give rise to unlawful or arbitrary discrimination, including information on racial or ethnic origin, colour, sex life, political opinions, religious, philosophical and other beliefs as well as membership in an association or trade union, should not be compiled.

6. Power to make exceptions

Departures from principles 1 to 4 may be authorized only if they are necessary to protect national security, public order, public health or morality, as well as, inter alia, the rights and freedoms of others, especially persons being persecuted (humanitarian clause), provided that such departures are expressly specified in a law or equivalent regulation promulgated in accordance with the internal legal system that expressly states their limits and sets forth appropriate safeguards.

Exceptions to principle 5 relating to the prohibition of discrimination, in addition to being subject to the same safeguards as those prescribed for exceptions to principles 1 and 4, may be authorized only within the limits prescribed by the International Bill of Human Rights and other relevant instruments in the field of the protection of human rights and the prevention of discrimination.

7. Principle of security

Appropriate measures should be taken to protect the files against both natural dangers, such as accidental loss or destruction, and human dangers, such as unauthorized access, fraudulent misuse of data or contamination by computer viruses.

8. Supervision and sanctions

The law of every country shall designate the authority that, in accordance with its domestic legal system, is to be responsible for supervising observance of the principles set forth above. This authority shall offer guarantees of impartiality, independence vis-à-vis persons or agencies responsible for processing and establishing data, and technical competence. In the event of violation of the provisions of the national law implementing the aforementioned principles, criminal or other penalties should be envisaged together with the appropriate individual remedies.

9. Transborder data flows

When the legislation of two or more countries concerned by a transborder data flow offers comparable safeguards for the protection of privacy, information should be able to circulate as freely as inside each of the territories concerned. If there are no reciprocal safeguards,


limitations on such circulation may not be imposed unduly and only in so far as the protection of privacy demands.

10. Field of application

The present principles should be made applicable, in the first instance, to all public and private computerized files and, by means of optional extension and subject to appropriate adjustments, to manual files. Special provisions, also optional, might be made to extend all or part of the principles to files on legal persons particularly when they contain some information on individuals.57

EU Data Protection Directive

The EU’s Council of Ministers adopted the European Directive on the Protection of Individuals with Regard to Processing of Personal Data and on the Free Movement of Such Data (EU Directive) on 24 October 1995 to provide a regulatory framework to guarantee secure and free movement of personal data across the national borders of EU member countries, in addition to setting a baseline of security around personal information wherever it is stored, transmitted or processed.

The EU Data Protection Directive was established in an effort to unify and harmonize with municipal laws related to privacy protection. Article 1 of the EU Directive declares that: “Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right of privacy, with respect to the processing of personal data.”

The EU Directive prohibits transferring personal information to countries that do not have an adequate level of protection, resulting in antagonism between the EU and the US government.58

Each EU member nation has revised its existing law or established a new privacy protection law to execute the EU Directive.

Other examples of EU laws about privacy protection are Article 8 of the European Convention on Human Rights, Directive 95/46/EC (Data Protection Directive), Directive 2002/58/EC (the E-Privacy Directive) and Directive 2006/24/EC Article 5 (The Data Retention Directive).59

Privacy protection in the Republic of Korea

In Korea, personal information was protected under different laws. However, to raise the level of protection in areas where there had been no applicable laws, the Privacy Protection Law was established. The Privacy Protection Law passed the National Assembly on 28 March 2011, and took effect on 30 September 2011. The main purpose of this law is to (1) eliminate “blind spots” that exits because of the absence of laws regulating offline businesses and non-profit organizations; (2) meet the needs for the adoption of global standards related to the Privacy Protection Law; and (3) protect the rights of individuals by strengthening the right to informational self-determination and legal remedy against rights violations against individuals.

57 The principles are quoted from the Office of the High Commissioner for Human Rights, “Guidelines for the Regulation of Computerized Personal Data Files”, http://www.unhcr.org/refworld/publisher,UNGA,THEMGUIDE,,3ddcafaac,0.html.

58 Domingo R. Tan, Comment, Personal Privacy in the Information Age: Comparison of Internet Data Protection Regulations in the United States and the European Union, 21 LOY. L.A. INT’L & COMP. L.J. 661, 666 (1999).

59 Justice and Home Affairs, “Data Protection”, European Commission, http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm.


There were some laws that were related to privacy protection such as the “Personal Information Protection Law in Public” and the “Act on Promotion of Information and Communication Network Utilization and Information Protection”. The “Personal Information Protection Law in Public” was abolished on 30 September 2011, when thePrivacy Protection Law came into effect. The “Act on Promotion of Information and Communication Network Utilization and Information Protection” has been revised since its enactment. Recently, this act was amended allowing individuals to determine the matters on transferring and consigning their personal information to third parties.

Personal Information Protection Law in Public: This law contains provisions for handling and managing personal information processed in computers of public institutions for the protection of privacy, as well as provisions related to reasonable performance of public business, and protection of the rights and interests of the people.

Act on Promotion of Information and Communication Network Utilization and Information Protection: The purpose of the Act is to improve the privacy protection system of the private sector, according to an expansion of information communications network and the generalization of the collection and distribution of personal information. The Act follows the process of privacy protection based on the life cycle of personal information, such as collection, use, management and deletion. The Act also includes provisions related to the rights of users of personal information and the establishment and operation of a privacy mediation committee.

Protection of Communication Secrets Act: The Act limits the target range of privacy and freedom of communication to protect privacy of communication and to guarantee freedom of communication. The law forbids invasion of a secret conversation such as through recording or eavesdropping, and it protects privacy in communications.

Location Information Protection Act: The Act seeks to regulate the collection and use of location-based information; to protect against leakage, misuse/abuse of such information; and to promote use of information in a safe environment. The law recognizes the capacity of today’s communications technology to determine the location of an individual (for example through mobile phones), and the fact that leaks of location information can cause serious privacy infringements. Thus, the law makes it a rule to never disclose location information except in cases where the law requires it.

Privacy protection in the United States of America

The US has entrusted privacy protection activities to the market since too many government restrictions have hampered e-commerce activities. As a result, privacy seals such as Trust-e or Better Business Bureau Online have emerged, and laws on protection of privacy are not integrated. The Privacy Act of 1974 provides for the protection of privacy of information in the public sector while different laws govern privacy in the private sector. There is no organization dealing with all privacy protection issues in the private sector. In the public sector, the OMB plays a role in establishing the federal government’s privacy policy according to the Privacy Act. In the private sector, the Federal Trade Commission is authorized to execute laws protecting children’s online privacy, customer credit information and fair trade practices.

US laws related to the protection of privacy include:

• The Privacy Act, 1974• Consumer Credit Protection Act, 1984• Electric Communications Privacy Act, 1986• Gramm-Leach-Bliley Act, 1999• Health Insurance Portability and Accountability Act, 1996


• Sarbanes-Oxley Act, 2002• Children’s Online Privacy Protection Act, 1998

Privacy protection measures in Japan

In 1982 Japan established a privacy protection measure based on the eight basic principles of the OECD. In 1988, the law for protection of privacy in the public sector was promulgated and came into effect. In the private sector, the Guideline for the Protection of Privacy was issued by the Ministry of International Trade and Industry in 1997. To improve conformity of national privacy protection laws with international guidelines, the Advanced Information and Telecommunications Society Promotion Headquarters has been pushing for the legislation of personal information protection law.

In addition, the Data Protection Authority has been designated as an independent agency that will ensure the proper observance of privacy protection and assist individuals in cases of invasion of privacy. The Data Protection Authority is mandated to improve the transparency of information processing, guarantee the data subjects’ rights and profits, and ensure that both the information processing agency and information users perform their duties. The Authority is also expected to play a role in protecting the national interest especially in cases involving information transfer across national borders.

Japanese laws related to the protection of privacy include the following:

• Act for the Protection of Computer Processed Personal Data Held by Administrative Organs, 1988

• Regulations of Local Governments (enacted in 1999 for 1,529 local governments)• Act for the Protection of Personal Information, 2003• Act on the Protection of Personal Information Held by Administrative Organs, 2003• Act for the Protection of Personal Information Retained by Independent Administrative

Institutions, 2003• Board of Audit Law, 2003• Guidelines for Privacy Protection with regard to RFID Tags, 2004


1. In your country, what policies and laws are in place to protect privacy of information?

2. What issues or considerations impact on the enactment and/or implementation of such policies and laws?

3. What principles (see the OECD Guidelines and the UN Guidelines) do you think underpin the policies and laws concerning privacy protection in your country?


5.3 Privacy Impact Assessment

What is PIA?

A Privacy Impact Assessment (PIA) is a systematic process of investigating, analysing and evaluating the effect on the customers’ or the nation’s privacy of the introduction of new information systems or the modification of existing information systems. PIA is based on the principle of preliminary prevention—i.e. prevention is better than cure. It is not simply a system evaluation but the consideration of the serious effects on privacy of introducing or changing new systems. Thus, it is different from the privacy protection audit that ensures the observance of internal policy and external requirements for privacy.

Because a PIA is conducted to analyse the privacy invasion factor when a new system is built, it should be performed at the early phase of development, when adjustments to development specifications are still possible. However, when a serious invasion risk occurs in collecting, using and managing personal information while operating the existing service, it would be desirable to perform a PIA and then modify the system accordingly.

The PIA process60

A PIA generally consists of three steps (see table 10).

table10.thePIaprocess

Conceptual Analysis Data Flow Analysis Follow-up AnalysisPrepare a plain language description of the scope and business rationale of the proposed initiative.

Identify in a preliminary way potential privacy issues and risks, and key stakeholders.

Provide a detailed description of essential aspects of the proposal, including a policy analysis of major issues.

Document the major flows of personal information.

Compile an environment issues scan to review how other jurisdictions have handled a similar initiative.

Identify stakeholder issues and concerns.

Assess public reaction.

Analyse data flows through business process diagrams and identify specific personal data elements or clusters of data.

Assess the proposal’s compliance with freedom of information (FOI) and privacy legislation, and relevant programme statutes. Assess the proposal’s broader conformity with general privacy principles.

Analyse risk based on the privacy analysis of the initiative and identify possible solutions.

Review design options and identify outstanding privacy issues/concerns that have not been addressed.

Prepare a response for unresolved privacy issues.

Review and analyse the physical hardware and system design of the proposed initiative to ensure compliance with privacy design requirements.

Provide a final review of the proposed initiative.

Conduct a privacy and risk analysis of any new changes to the proposed initiative relating to hardware and software design to ensure compliance with FOI and privacy legislation, relevant programme statutes, and general privacy principles.

Prepare a communications plan.

Source: Information and Privacy Office, Privacy Impact Assessment: A User’s Guide (Ontario, Management Board Secretariat, 2001), p. 5.

60 This section is drawn from Information and Privacy Office, Privacy Impact Assessment: A User’s Guide (Ontario, Management Board Secretariat, 2001).


Assessment scope of PIA

A PIA is performed when:

1. Building a new information system that will hold and manage a large quantity of personal information;

2. Using a new technology where privacy can be violated;3. Modifying an existing information system that holds and manages personal information; and4. Collecting, using, keeping and/or destroying personal information during which a risk of

privacy invasion can occur.

But it is not necessary to execute a PIA on all information systems. A PIA does not have to be performed when there is only a slight change of the existing program and system.

Examples of PIAs

Table 11 lists PIA systems in three countries.

table11.examplesofnationalPIas

USA Canada Australia/New Zealand

Legal ground

Section 208 of e-Government Act in 2002

OMB provides PIA requirements in OMB-M-03-22

Introduced its PIA policy and guideline in May 2002

Compulsory execution of PIA on the basis of common law on privacy

Voluntarily conduct of PIA (no legal ground)

PIA Handbook for supporting PIA (2004, New Zealand), guideline for PIA (2004, Australia)

Subject

All executive branch departments and agencies and contractors who use IT or who operate websites for purposes of interacting with the public; relevant cross-agency initiatives, including those that further e-government

All programmes and services that government agencies provide

No duty or limit

Actor

Agencies performing e-government project dealing with personal information

Government agencies developing or operating the programmes and services

Relevant agencies or by requesting external consulting agencies


USA Canada Australia/New Zealand

Publication

Making the PIA publicly available through the website of the agency, publication in the Federal Register, or other means, that may be modified or waived for security reasons, or to protect classified, sensitive or private information contained in an assessment Agencies shall provide the Director of OMB with a copy of the PIA for each system for which funding is requested

Making PIA summaries publicly available

Providing a copy of the final PIA and report to the Office of the Privacy Commissioner in advance in order to get the proper advice or guidance with respect to proper protection strategy

The result of the PIA is usually not available publicly (no duty to report and publish)

Test Yourself

1. How is personal information different from other kinds of information?

2. Why should personal information be protected?

3. What is the significance of the OECD and UN principles on privacy protection?

4. Why is privacy impact assessment conducted?


6. cSIrteStaBLIShmeNtaNdoPeratIoN

This section aims to:• Explain how to establish and operate a national Computer Security Incident

Response Team (CSIRT); and• Provide models of CSIRT from various countries.

Cybercrime and various threats to information security need to be taken seriously because of their huge economic impact. Group-IB, a Russian security company, forecasted that the global cybercrime market would be USD 2.5 billion and grow to over USD 7 billion. According to IDC’s research survey, almost half of the companies of all sizes reported that the “total” impact of financial loss per event was over USD 100,000, while 8.5 per cent of the companies reported financial loss of over USD 1 million.

Establishing a CSIRT is an effective way of mitigating and minimizing damage from attacks on information systems and breaches of information security.

6.1 Development and Operation of a CSIRT

A CSIRT is an organization, formalized as such or adhoc, that is responsible for receiving, reviewing and responding to computer security incident reports and activities. The basic purpose of a CSIRT is to provide computer security incident handling services to minimize the damage and allow efficient recovery from a computer security incident.61

In 1988, the first outbreak of a worm named Morris occurred and it spread rapidly around the world. After this, the Defence Advanced Research Projects Agency founded the Software Engineering Institute and then established the CERT/CC at Carnegie Mellon University under a US Government contract. Since then, each country in Europe has established similar organizations. Since no single CSIRT has been able to solve broad vulnerability incidents, the Forum of Incident Response and Security Teams (FIRST) was established in 1990. Through FIRST, many information security agencies and CSIRTs are able to exchange opinions and share information.

Choosing the right CSIRT model62

There are five general organizational models for CSIRTs. The model that is most appropriate to an organization—i.e. considering various conditions such as the environment, financial status and human resources—should be adopted.

1. Security team model (using existing IT staff)

The security team model is not a typical CSIRT model. In fact, it is the opposite of a typical CSIRT. In this model, there is no centralized organization that is given responsibility for handling

61 CERT, “CSIRT FAQ”, Carnegie Mellon University, http://www.cert.org/csirts/csirt_faq.html.62 This section is drawn from Georgia Killcrece, Klaus-Peter Kossakowski, Robin Ruefle and Mark Zajicek, Organizational Models

for Computer Security Incident Response Teams (CSIRTs) (Pittsburgh, Carnegie Mellon University, 2003), http://www.cert.org/archive/pdf/03hb001.pdf.


computer security incidents. Instead, incident handling tasks are conducted by system and network administrators, or by other security system specialists.

figure18.Securityteammodel

2. Internal distributed CSIRT model

This model is also referred to as the “distributed CSIRT”. The team in this model is composed of the CSIRT administrator who is responsible for reporting and overall management, and staff from other divisions of the concerned enterprise/agency. The CSIRT in this model is an officially recognized organization with the responsibility for handling all incident response activities. As the team is built within a company or an agency, the team is considered “internal”.

The internal distributed CSIRT model differs from the security team model in the following ways:

• The existence of more formalized incident handling policies, procedures and processes;• An established method of communication with the whole enterprise concerning security

threats and response strategies; and• A designated CSIRT manager and team members who are specifically assigned incident

handling tasks.

figure19.InternaldistributedcSIrtmodel


3. Internal centralized CSIRT model

In the internal centralized CSIRT model, a centrally located team controls and supports the organization. The CSIRT has overall responsibility for all incident reporting, analysis and response. Thus, the team members cannot handle other jobs and spend all of their time working for the team and handling all incidents. Also, the CSIRT manager reports to high-level management such as the Chief Information Officer, Chief Security Officer or Chief Risk Officer.

figure20.InternalcentralizedcSIrtmodel

4. Combined distributed and centralized CSIRT model

This is also known as the “combined CSIRT”. Where a centralized CSIRT cannot control and support the entire organization, some team members are distributed among the organization’s sites/branches/divisions to provide within their areas of responsibility the same level of services as provided by the centralized CSIRT.

The centralized team provides high-level data analysis, recovery methods and mitigation strategies. It also furnishes the distributed team members with incident, vulnerability and artifact response support. The distributed team members at each site implement the strategies and provide expertise in their areas.


figure21.combinedcSIrt

5. Coordinating CSIRT model

A coordinating CSIRT strengthens the function of the distributed teams in the combined CSIRT. In the coordinating CSIRT model, the team members in the combined CSIRT are grouped into independent CSIRTs based on such characteristics as network connectivity, geographical boundaries, and the like. They are controlled by the centralized CSIRT.

The coordinating CSIRT model is appropriate for a national CSIRT system. This model can be applied to the internal activities in an organization and to support and closely coordinate external agencies.

The coordination and facilitation activities cover information sharing, providing mitigation strategies, incident response, recovery method, research/analyses of trends and patterns of incident activity, vulnerability databases, clearinghouses for security tools, and advisory and alert services.

figure22.coordinatingcSIrt


Setting up a CSIRT: Steps for creating a national CSIRT63

There are five stages in setting up a CSIRT. The purpose, vision or roles of the CSIRT should serve as a guide in progression through the stages.

Stage 1 – Educating stakeholders about the development of a national team

Stage 1 is the awareness stage, where stakeholders develop understanding of what is involved in establishing the CSIRT. Through various education methods, they learn about:

a. The business drivers and motivators behind the need for a national CSIRTb. Requirements for developing the incident response capabilities of a national CSIRTc. Identifying the people to be involved in the discussions for building a national teamd. The key resources and critical infrastructure that exist within the countrye. The types of communications channels that need to be defined for communicating with

the CSIRT constituencyf. Specific laws, regulations and other policies that will affect the development of the national

CSIRTg. Funding strategies that can be used to develop, plan, implement and operate the response

capabilityh. Technology and network information infrastructure that will be needed to support the

operations of the national teami. Basic response plans and interdependencies as they apply across a variety of sectorsj. The potential set of core services that a national CSIRT may provide to its constituencyk. Best practices and guides

Stage 2 – Planning the CSIRT: Building on the knowledge and information gained during Stage 1

Stage 2 involves planning the CSIRT based on knowledge and information gained during Stage 1. Issues discussed in Stage 1 are reviewed and discussed further, and then the precise details are determined and applied to the implementation plan. The plan is established considering the following activities:

a. Identifying the requirements and need for the national CSIRT —• Laws and regulations that will affect the operations of the national team• Critical resources that need to be identified and protected• Current incidents and trends that are being reported or should be reported• Existing incident response capabilities and computer security expertise

b. Defining the vision of the national CSIRTc. Defining the mission of the national teamd. Determining the constituency (or constituencies) that it will servee. Identifying the communication interfaces between the constituency and the national teamf. Identifying the type of national (government) approval, leadership and sponsorshipg. Identifying the types of staff skills and knowledge that is needed to operate the teamh. Defining the types of roles and responsibilities for the national CSIRTi. Specifying the incident management processes of the CSIRT as well as determining the

relationships to similar processes in any of the external constituent organizationsj. Developing a standardized set of criteria and consistent terminology for categorizing and

defining incident activity and eventsk. Defining how the national CSIRT will interact with the constituency and other global CSIRTs

or external partners

63 This section is drawn from Georgia Killcrece, Steps for Creating National CSIRTs (Pittsburgh, Carnegie Mellon University, 2004), http://www.cert.org/archive/pdf/NationalCSIRTs.pdf.


l. Determining any processes required for integration with existing disaster recovery, incident response plans, business continuity plans, crisis management or other emergency management plans

m. Developing project timelinesn. Creating the national CSIRT plan based on outcomes from the planning activity, vision and

corresponding framework

Stage 3 – Implementing the CSIRT

In Stage 3, the project team uses the information and plan from Stages 1 and 2 to implement the CSIRT. The implementation process is as follows:

a. Getting the funds from sources identified during the planning stageb. Announcing broadly that a national CSIRT is being created and where additional information

can be obtained (about progress on the development, reporting requirements, etc.)c. Formalizing coordination and communication mechanisms with stakeholders and other

appropriate contactsd. Implementing the secure information systems and network infrastructure to operate the

national CSIRT (e.g. secure servers, applications, telecommunications equipment and other infrastructure support resources)

e. Developing the operation and process for the CSIRT staff, including the agreed standard in the planning stage and reporting guideline

f. Developing internal policies and procedures for access and operation of CSIRT equipment and personal equipment, as well as acceptable use policies

g. Implementing processes for the national CSIRT’s interactions with its constituencyh. Identifying and hiring (or reassigning) personnel, obtaining appropriate training and education

for the CSIRT staff, as well as determining other potential outreach efforts to train and educate the constituency

Stage 4 – Operating the CSIRT

At the operational stage, the basic services that the national CSIRT has to provide are defined and the operational efficiency to utilize an incident management capability is evaluated. Based on the results, operational details are established and improved. The activities at this stage are:

a. Actively performing the various services provided by the national CSIRTb. Developing and implementing a mechanism for evaluating the effectiveness of the national

CSIRT operationsc. Improving the national CSIRT according to the results of the evaluationd. Expanding the mission, services and staff as appropriate and as can be sustained to

enhance service to the constituencye. Continuing to develop and enhance CSIRT policies and procedures

Stage 5 – Collaboration

A national CSIRT can develop a trusted relationship with key stakeholders through efficient operations (Stage 4). But a national CSIRT also needs to exchange important information and experiences of incident handling through long-term exchanges with cooperating institutions, domestic CSIRTs and international CSIRTs. The activities at this stage include:

a. Participating in data and information sharing activities and supporting the development of standards for data and information sharing between partners, other CSIRTs, constituents and other computer security experts

b. Participating in global “watch and warning” functions to support the community of CSIRTs


c. Improving the quality of CSIRT activities by providing training, workshops and conferences that discuss attack trends and response strategies

d. Collaborating with others in the community to develop best practice documents and guidelinese. Reviewing and revising the processes for incident management as part of an ongoing

improvement process

CSIRT services64

The services that CSIRTs provide may be classified into reactive services, proactive services and service quality management services.

Reactive services are the core services of a CSIRT. They include:

1. Alerts and warnings – This service includes providing information and response methods for dealing with problems such as a security vulnerability, an intrusion alert, a computer virus or a hoax.

2. Incident handling – This involves receiving, triaging and responding to requests and reports, and analysing and prioritizing incidents and events. Specific response activities include the following:

• Incident analysis – An examination of all available information and supporting evidence or artifacts related to an incident or event. The purpose of the analysis is to identify the scope of the incident, the extent of damage caused by the incident, the nature of the incident and available response strategies or workarounds.

• Forensic evidence collection – The collection, preservation, documentation and analysis of evidence from a compromised computer system to determine changes to the system and to assist in the reconstruction of events leading to the compromise.

• Tracking or tracing – Involves tracking or tracing how the intruder entered the affected systems and related networks. This activity includes tracing the origins of an intruder or identifying systems to which the intruder had access.

3. Incident response on site – The CSIRT provides direct, on-site assistance to help constituents recover from an incident.

4. Incident response support – The CSIRT assists and guides the victim(s) of the attack in recovering from an incident via phone, e-mail, fax or documentation.

5. Incident response coordination – The response effort among parties involved in the incident is coordinated. This usually includes the victim of the attack, other sites involved in the attack and any sites requiring assistance in the analysis of the attack. It may also include the parties that provide IT support to the victim, such as ISPs and other CSIRTs.

6. Vulnerability handling – This involves receiving information and reports about hardware and software vulnerabilities, analysing the effects of the vulnerabilities, and developing response strategies for detecting and repairing the vulnerabilities.

64 This section is drawn from Carnegie Mellon University, CSIRT Services (2002), http://www.cert.org/archive/pdf/CSIRT-services-list.pdf.


• Vulnerability analysis – Refers to technical analysis and examination of vulnerabilities in hardware or software. The analysis may include reviewing the source code, using a debugger to determine where the vulnerability occurs, or trying to reproduce the problem on a test system.

• Vulnerability response – Involves determining the appropriate response to mitigate or repair vulnerabilities. This service can include performing the response by installing patches, fixes or workarounds. It also involves notifying others of the mitigation strategies, advisories or alerts.

• Vulnerability response coordination – The CSIRT notifies the various parts of the enterprise or constituency about the vulnerability and shares information about how to fix or mitigate it. The CSIRT also classifies successful vulnerability response strategies. Activities include analysing vulnerability or vulnerability reports and synthesizing technical analyses done by different parties. This service can also include maintaining a public or private archive or knowledge base of vulnerability information and corresponding response strategies.

7. Artifact handling – This includes analysis, response, coordination and handling of artifacts that involve computer viruses, Trojan horse programs, worms, exploit scripts and toolkits.

• Artifact analysis – The CSIRT performs a technical examination and analysis of any artifact found in a system.

• Artifact response – Involves determining the appropriate actions to detect and remove artifacts from a system.

• Artifact response coordination – Involves sharing and synthesizing analysis results and response strategies pertaining to an artifact with other researchers, CSIRTs, vendors and other security experts.

Proactive services are for improving the infrastructure and security processes of the constituency before any incident or event occurs or is detected. They include the following:

1. Announcements – These include intrusion alerts, vulnerability warnings, security advisories, and the like. Such announcements inform constituents about new developments with medium- to long-term impact, such as newly found vulnerabilities or intruder tools. Announcements enable constituents to protect their systems and networks against just discovered problems before they can be exploited.

2. Technology watch – This involves monitoring and observing new technical developments, intruder activities and related trends to help identify future threats. The outcome of this service might be some type of guidelines, or recommendations focused on more medium- to long-term security issues.

3. Security audits or assessments – This service provides a detailed review and analysis of an organization’s security infrastructure, based on the requirements defined by the organization or by other industry standards that apply.

4. Configuration and maintenance of security tools, applications, infrastructures and services – This service provides appropriate guidance on how to securely configure and maintain tools, applications and the general computing infrastructure.


5. Development of security tools – This service includes the development of new, constituent-specific tools, software, plug-ins and patches that are developed and distributed for security.

6. Intrusion detection services – CSIRTs that perform this service review existing IDS logs, analyse them and initiate a response for events that meet their defined threshold.

7. Security-related information dissemination – This service provides constituents with a comprehensive and easy-to-find collection of useful information that aids in improving security.

Security quality management services are designed to provide knowledge gained from responding to incidents, vulnerabilities and attacks synthetically. Such services include:

1. Risk analysis – This involves improving the CSIRT’s ability to assess real threats, provide realistic qualitative and quantitative assessments of risks to information assets, and evaluate protection and response strategies.

2. Business continuity and disaster recovery planning – Business continuity and recovery from disaster caused by computer security attacks are ensured through adequate planning.

3. Security consulting – CSIRTs can also provide practical advice and guidance for business operations.

4. Awareness building – CSIRTs are able to improve security awareness by identifying and providing information and guidance about security practices and policies that constituents require.

5. Education/Training – This service involves providing education and training on such topics as incident reporting guidelines, appropriate response methods, incident response tools, incident prevention methods, and other information necessary to protect, detect, report and respond to computer security incidents. Training modalities include seminars, workshops, courses and tutorials.

6. Product evaluation or certification – The CSIRT may conduct product evaluations on tools, applications or other services to ensure the security of the products and their conformance to acceptable CSIRT or organizational security practices.

Table 12 shows the level of each CSIRT service—i.e. whether it is a core, additional or unusual service—in each CSIRT model.


table12.cSIrtservices

Service Category Services Security

Team Distributed Centralized Combined Coordinating

Reactive

Alerts and Warnings Additional Core Core Core Core

Incident Handling

Incident Analysis Core Core Core Core Core

Incident Response On Site

Core Additional Additional Additional Unusual

Incident Response Support

Unusual Core Core Core Core

Incident Response Coordination

Core Core Core Core Core

Artifact Handling

Vulnerability Analysis Additional Additional Additional Additional Additional

Vulnerability Response Core Additional Unusual Additional Additional

Vulnerability Response Coordination

Additional Core Core Core Core

Artifact Analysis Additional Additional Additional Additional Additional

Artifact Response Core Additional Additional Additional Additional

Artifact Response Coordination

Additional Additional Core Core Core

Proactive

Announcements Unusual Core Core Core Core

Technology Watch Unusual Additional Core Core Core

Security Audits or Assessments Unusual Additional Additional Additional Additional

Configuration and Maintenance of Security Tools, Applications, Infrastructures and Services

Core Additional Additional Additional Unusual

Development of Security Tools Additional Additional Additional Additional Additional

Intrusion Detection Services Core Additional Additional Additional Unusual

Security-Related Information Dissemination

Unusual Additional Core Core Core

Security Quality

Management

Risk Analysis Unusual Additional Additional Additional Additional

Business Continuity and Disaster Recovery Planning

Unusual Additional Additional Additional Additional

Security Consulting Unusual Additional Additional Additional Additional

Awareness Building Unusual Additional Additional Additional Core

Education/Training Unusual Additional Additional Additional Core

Product Evaluation or Certification Unusual Additional Additional Additional Additional

Source: Georgia Killcrece, et. al., Organizational Models for Computer Security Incident Response Teams (CSIRTs) (Pittsburgh, Carnegie Mellon University, 2003), http://www.cert.org/archive/pdf/03hb001.pdf.


6.2 International CSIRT Associations

Currently, there are a number of specialized international CSIRT associations established to respond to computer security incidents around the world. While national CSIRTs can respond to attacks and perform their other functions, a cross-border attack involving more than two economies requires the attention of an international CSIRT association.

Forum of Incident Response Security Teams65

The Forum of Incident Response Security Teams (FIRST) consists of CERTs, government agencies and security companies from 52 countries. Its membership includes 248 organizations, including CERT/CC and US-CERT (as of September 2011). FIRST is an association for information sharing and cooperation among incident response teams. Its goal is to activate incident response and protection activities, and motivate cooperation among members by providing them with technology, knowledge and tools for incident response. The activities of FIRST are as follows:

• Developing and sharing best practices, procedure, tools, technical information and methodologies for incident response and protection;

• Motivating the development of policies, services and security products of good quality;• Supporting and developing appropriate computer security guidelines;• Helping governments, enterprises and educational institutions to establish an incident

response team and expand it; and• Facilitating the sharing of technology, experiences and knowledge among members for a

safer electronic environment.

Asia-Pacific CERT66

The Asia-Pacific Computer Emergency Response Team (APCERT) was established in February 2003 to serve as a network of security experts, strengthen incident response and improve security awareness in the Asia-Pacific region. The first conference of Asia-Pacific CSIRTs was held in Japan in 2002. APCERT was founded a year later at a conference in Taipei attended by 14 Asia-Pacific CSIRTs. As of September 2011, APCERT has 18 full members and 9 general members from 18 economies.

APCERT members agree that today’s computer security incidents are too numerous, complicated and difficult to control for any one organization or country, and that a more effective response can be deployed by collaborating with other members of APCERT. As in FIRST, the most important concept in APCERT is the relationship of trust between members for exchanging information and cooperating with each other. Thus, APCERT activities are designed to:

• Enhance Asia-Pacific regional and international cooperation;• Jointly develop measures to deal with large-scale or regional network security incidents;• Improve security information sharing and technology exchange, including information on

computer viruses, exploit scripts, and the like;• Improve collaborative research on common problems;• Assist other CERTs in the region in responding effectively to computer security incidents; and• Provide advice and solutions to legal issues related to regional information security and

incident response.65 FIRST, “About FIRST”, FIRST.org, Inc., http://www.first.org/about/.66 APCERT, “Background”, http://www.apcert.org/about/background/index.html.


European Government CERT67

The European Government CERT (EGC) is a non-official committee that is associated with governmental CSIRTs in European countries. Its members include Finland, France, Germany, Hungary, the Netherlands, Norway, Sweden, Switzerland and the UK. Its roles and responsibilities are to:

• Jointly develop measures to deal with large-scale or regional network security incidents;• Promote information sharing and technology exchange in regard to security incidents and

malicious code threats and vulnerability;• Identify areas of knowledge and expertise that could be shared within the group;• Identify areas of collaborative research and development on subjects that are of interest

to members; and• Promote the formation of government CSIRTs in European countries.

European Network and Information Security Agency68

The purpose of European Network and Information Security Agency (ENISA) is to enhance network security and information security in the EU through the creation of an NIS culture. It was established in January 2004 by the Council of Ministers and the European Parliament to respond to “hi-tech” crime. It has the following roles:

• Providing support to ensure NIS among members of ENISA or the EU; • Promoting stable exchange of information between stakeholders; and • Improving the coordination of functions relating to NIS.

ENISA is expected to contribute to international efforts to mitigate viruses and hacking and establish online monitoring of threats.

6.3 National CSIRTs

Several countries have organized a national CSIRT. Table 13 lists the countries and their respective CSIRTs as well as the website for each.

table13.ListofnationalcSIrts

Country Official name Homepages

Argentina Computer Emergency Response Team of the Argentine Public Administration http://www.arcert.gov.ar

Australia Australia’s National Computer Emergency Response Team http://www.cert.gov.au

Brazil Computer Emergency Response Team Brazil http://www.cert.br

Brunei Darussalam

Brunei Computer Emergency Response Team http://www.brucert.org.bn

Canada Canadian Cyber Incident Response Centre http://www.publicsafety.gc.ca/prg/em/ccirc/index-eng.aspx

Chile Chilean Computer Emergency Response Team http://www.clcert.cl

67 EGC, http://www.egc-group.org.68 ENISA, “About ENISA”, http://www.enisa.europa.eu/about-enisa.


Country Official name Homepages

ChinaNational Computer Network Emergency Response Technical Ream – Coordination Center of China

http://www.cert.org.cn

Denmark Danish Computer Emergency Response Team http://www.cert.dk

El Salvador Response Team for Computer Security Incidents

Finland Finnish Communication Regulatory Authority http://www.cert.fi

France CERT-Administration http://www.certa.ssi.gouv.fr

Germany CERT-Bund http://www.bsi.bund.de/certbund

Hong Kong Hong Kong Computer Response Coordination Centre http://www.hkcert.org

Hungary CERT-Hungary http://www.cert-hungary.hu

India CERT-In http://www.cert-in.org.in

Indonesia Indonesia Security Incident Response Team on Internet Infrastructure http://www.idsirtii.or.id

Japan JP CERT Coordination Center http://www.jpcert.or.jp

Lithuania LITNET CERT http://cert.litnet.lt

Malaysia Malaysian Computer Emergency Response Team http://www.mycert.org.my

Mexico Universidad Nacional Autonoma de Mexico http://www.cert.org.mx

Netherlands GOVCERT.NL http://www.govcert.nl

New Zealand Centre for Critical Infrastructure Protection http://www.ccip.govt.nz

Norway Norwegian National Security Authority http://www.cert.no

Philippines Philippines Computer Emergency Response Team http://www.phcert.org

Poland Computer Emergency Response Team Polska http://www.cert.pl

Qatar Qatar Computer Emergency Response Team http://www.qcert.org

Saudi Arabia Computer Emergency Response Team – Saudi Arabia http://www.cert.gov.sa

Singapore Singapore Computer Emergency Response Team http://www.singcert.org.sg

Slovenia Slovenia Computer Emergency Response Team http://www.arnes.si/english/si-cert

Republic of Korea CERT Coordination Center Korea http://www.krcert.or.kr

Spain IRIS-CERT http://www.rediris.es/cert

Sweden Swedish IT Incident Centre http://www.sitic.se

Thailand Thai Computer Emergency Response Team http://www.thaicert.nectec.or.th

Tunisia Tuncert – Tunisian Computer Emergency Response Team

http://www.ansi.tn/en/about_agency/about_tuncert.html

Turkey TP-CERT http://www.uekae.tubitak.gov.tr

United Kingdom GovCertUK http://www.govcertuk.gov.uk

United States of America

United States Computer Emergency Readiness Team http://www.us-cert.gov

Viet Nam Viet Nam Computer Emergency Response Team http://www.vncert.gov.vn

Source: CERT, “National Computer Security Incident Response Teams”, Carnegie Mellon University, http://www.cert.org/csirts/national/contact.html.


Something To Do

Is there a national CSIRT in your country?

1. If yes, describe it in terms of the model it is patterned after and how it works. Assess how effective it is in performing its functions.

2. If none, determine which CSIRT model would be appropriate for your country and describe what is required to establish a national CSIRT in your country.

Test Yourself

1. What are the key functions of CSIRTs?

2. How different are international CSIRTs from national CSIRTs?

3. What are the requirements for setting up a CSIRT?


7. LIfecycLeofINformatIoNSecurItyPoLIcy

This section aims to:• Give an overview of the information security policymaking process; and• Discuss issues that policymakers must consider in information security policymaking.

Policymakers need to take into account a number of considerations, among them the rationale for a policy, available resources, the policy direction, budgetary and legal requirements, and expected policy outcomes. In this section, these considerations are discussed in the context of the different stages of information security policymaking.

It should be noted that different countries will have slightly different policy considerations and contexts. The policymaking process described in this section is generic and based on the assumption that there is no existing national information security policy.

As with other policies, the life cycle of information security policy can be divided into four phases: (1) information gathering and gap analysis; (2) establishment of the policy; (3) implementation of the policy; and (4) control and feedback (see figure 23). In addition, a national information security policy should include the information security strategy, legal relationships, information security organization, information security technology, and the interrelationships among them.

figure23.Lifecycleofinformationsecuritypolicy


7.1 Information Gathering and Gap Analysis

The first phase in formulating an information security policy is information gathering and gap analysis.

In information gathering, it is useful to review examples of information security and related policies from other countries, as well as related policies within the country itself.

In gap analysis, it is important to understand the existing infrastructure related to information security, such as existing laws and systems, as well as areas or gaps that need to be filled. This is an important step as it determines the direction or priority of the information security policy to be established.

Information gathering

Gathering cases from overseas: In locating relevant cases in other countries, policymakers should consider similarities in the —

• Level of national information security• Direction of policy establishment• Network and system infrastructure

Considering these similarities, the following materials should be collected —

• Information on the establishment and operation of organizations engaged in information security (see sections 3 and 6 of this module)

• Information security policies, laws and regulations (see section 3)• Internationally used information security methodology and examples from different countries

(see section 4)• Threat trends and countermeasures or controls according to attack types (see sections 2

and 6)• Countermeasures for privacy protection (see section 5)

Gathering domestic materials: Although most policymakers are not experts in information security, they perform activities that are related or relevant to information security. Specifically, they craft laws, regulations and policies in areas related to information security. However, because laws, regulations and policies tend to focus on specific areas, the correlation among them might not be immediately apparent to policymakers. Thus, there is a need to collect and analyse and evaluate all laws, regulations and policies that are related or relevant to information security.

Gap analysis

Sun Tzu’s The Art of War says, “Know your enemy.” This means you should know your limits as well as that of your enemy. In the case of information security policymaking, this would mean knowing what needs to be protected through an information security policy as well as vulnerabilities and threats to information security.

Gap analysis can be divided into two phases:


1. Understanding the country’s abilities and capacities—i.e. the organization and human resources, as well as the information and communication infrastructure—in the general area of information security; and

2. Identifying the external threats to information security.

Policymakers need to be familiar with the information security organization and human resources, that is public and private institutions in areas related to information security. They should know the organizations involved in information security related work and understand their scope of work, roles and responsibilities. This is important in order not to duplicate existing structures for information security.

It is also at this point that experts in information security should be identified and tapped. Such experts typically have a background in law, policy, technology, education and related fields. The information-communication infrastructure refers to the IT structure that collects, processes, stores, searches, transmits and receives electronic control management systems and information. In short, this is the information system and network. Understanding the current status of the information-communication infrastructure is particularly important from an economic point of view. Because large investments are needed to connect the whole country, making the most of existing information-communication facilities is advantageous. Figure 24 shows a sample information-communication infrastructure for information security. It does not include all items that may be required and is given here only for illustrative purposes. Note the relationship among the various components of the network.

figure24.Samplenetworkandsystemstructure

Policymakers need to be able to grasp how the general network and systems for information security are set up.

The second step in gap analysis is to identify the external threats to information security. As mentioned in section 2, threats to important information are not only increasing but also becoming more sophisticated. Policymakers need to understand these threats to be able to decide what countermeasures are necessary. In particular, policymakers must understand:

• The penetration rate of threats to information security• The most common and current attack types• Threat types and their expected degree of strength in the future


After analysing national organizations, human resources and the information-communication infrastructure, as well as grasping the threat components in the area of information security, it is important to derive the vulnerable components. This is determining the extent to which the country can resist the external threat components. This determination can be made by examining the following: • Current status of the CERT and its ability to react• Current status of experts on information security• Construction level and intensity of the information security system• Legal protection against information asset infringement• Physical environment for protecting information assets

The objective of gap analysis is to be able to identify the practical countermeasures that need to be taken. It should be emphasized that it is the most basic step in information security policymaking.

7.2 Formulating Information Security Policy

Formulating a national information security policy involves: (1) setting the policy direction; (2) constituting the information security organization and defining its roles and responsibilities; (3) articulating the information security policy framework; (4) instituting and/or revising laws to make them consistent with the policy; and (5) allocating a budget for information policy implementation.

1. Setting the policy direction and pushing ahead

In most cases, the pursuit of information security policy should be spearheaded by the government rather than left to the private sector. In particular, the government needs to set the policy, play a lead role in putting the necessary infrastructure in place and provide long-term support. The private sector joins the project in time, principally to take part in research and development, and system construction.

Planning for private sector participation includes awareness-raising activities alongside building and strengthening the information-communication infrastructure. If the government aims to encourage the private sector to accept the information security strategy, then government should play a supportive rather than a controlling role. This includes distributing information security guidelines.

2. Constitution of the information security organization, and definition of roles and responsibilities69

Once the direction for information security policy has been set, the implementing organization should be constituted. Figure 25 shows the structure of a generic national information security organization.

69 This section is drawn from Sinclair Community College, “Information Security Organization – Roles and Responsibilities”, http://www.sinclair.edu/about/information/usepolicy/pub/infscply/Information_Security_Organization_-_Roles_and_

Responsibilities.htm.


figure25.agenericnationalinformationsecurityorganization

National information security organizations differ slightly according to the characteristics and cultures of each country. However, a basic principle is to ensure that roles and responsibilities are clearly delineated.

Administrative organization

Division Vice-Presidents have primary responsibility for information collected, maintained and/or identified as utilized or “owned” by their respective divisions. They may designate an Information Security Officer and other individuals to assist the Information Security Officer in implementing the information security policy. These designated staff must ensure that information assets within their span of control have designated owners, that risk assessments are conducted and that mitigation processes based on those risks are implemented.

Supervisors (Directors, Chairs, Managers, etc.) manage employees with access to information and information systems and specify, implement and enforce the information security controls applicable to their respective areas. They must ensure that all employees understand their individual responsibilities with regard to information security and that employees have the access required to perform their jobs. Supervisors should periodically review all users’ access levels to ensure that they are appropriate, and take appropriate action to correct discrepancies or deficiencies.

The Chief Information Security Officer (CISO) is responsible for coordinating and overseeing the information security policy. Working closely with various divisions, the CISO may recommend that supervisors of specific divisions designate other representatives to oversee and coordinate particular elements of the policy. The CISO also assists information owners with information security best practices in:


• Establishing and disseminating enforceable rules regarding access to and acceptable use of information resources;

• Conducting/Coordinating information security risk assessment and analysis;• Establishing reasonable security guidelines and measures to protect data and systems;• Assisting with monitoring and management of systems security vulnerabilities;• Conducting/Coordinating information security audits; and• Assisting with investigations/resolution of problems and/or alleged violations of national

information security policies.

Technical organization

The Administrative System Information Security Team develops and implements measures to ensure that administrative application security controls allow stakeholders appropriate access to information while meeting national legal and ethical obligations to protect private, sensitive and critical information. The team develops processes and standards to provide optimal availability, integrity and confidentiality of administrative system information, including processes for users to request initial access and access changes; documentation of authorized user access, as well as user/supervisor rights and responsibilities; and resolution of security-related conflicts and issues.

The team includes the Division Information Security Officers and the CISO. The team is advised by the Department Information Security Officers and Administrative Systems Administrators.

The CSIRT provides information and assists stakeholders in implementing proactive measures to reduce the risks of computer security incidents, and in investigating, responding to and minimizing damage from such incidents when they occur. The CSIRT also determines and recommends follow-up actions. The two-layer CSIRT is composed of an operational team charged with initial identification, response, triage and determination of escalation requirements, and a management team charged with spearheading the national response to major or significant incidents. The CISO and delegated IT staff members from IT Services and Systems Development and Maintenance are part of the operational CSIRT. The CSIRT management team is composed of the Chief Information Officer, Chief of Police, Director of Public Information, Director of IT Services, Director of Systems Development and Maintenance, CISO, systems and network manager, a legal advisor, a human resources advisor, and delegates with technical expertise specifically appointed by the Vice Presidents.

IT Services Department staff members include systems and network administrators and engineers, and technical services providers such as the IT Help Desk, user support technicians and voice communications administrators. They are responsible for the integration of technical information security tools, controls and practices in the network environment. They receive reports of suspected information security failure or incidents from end-users.

Systems Development and Maintenance staff members include developers and database administrators. They develop, practice, integrate and implement security best practices for national applications, and train Web application developers in the use of application security principles.

Others

Employees with access to information and information systems must comply with applicable national policies and procedures, as well as any additional practices or procedures established by their unit heads or directors. This includes protecting their account passwords and reporting suspected misuse of information or information security incidents to the appropriate party (usually their supervisor).


Temporary staff members are considered employees and have the same responsibilities as regular full- or part-time employees with access to information and information systems.

Consultants, service providers and other contracted third parties are granted access to information on a “need-to-know” basis. A network account required by a third party must be requested by a “sponsor” within the organization who shall ensure that the third party user understands the individual responsibilities related to the network account, and approved by the appropriate vice-president or director. The user must keep his/her password(s) secure and be accountable for any activity resulting from the use of his/her user ID(s) within reasonable scope of his/her control.

3. Setting the framework of information security policy Information security framework

The information security framework sets the parameters for information security policy. It ensures that the policy takes into account IT resources (people, information documents, hardware, software, services); reflects international laws and regulations; and meets the principles of information availability, confidentiality, integrity, accountability and assurance. Figure 26 shows an information security framework.

figure26.Informationsecurityframework

Information Security Framework

AvailabilityAvailability ConfidentialityConfidentiality IntegrityIntegrity AccountabilityAccountability AssuranceAssurance

Information Security PolicyInformation Security Policy

IT Resource People Information Document Hardware Software Service

Nation’slaws /

systems

Internationallaws /

systems

Plan / Organization

Plan / Organization

Acquire / Implement

Acquire / Implement

Operation / Support

Operation / Support

Monitoring / Assessment


Privacy protection

Privacy protection

Plan / Organization

Plan / Organization

Acquire / Implement

Acquire / Implement

Operation / Support

Operation / Support



Privacy protection

Privacy protection

Security organization /

operation

Security organization /

operation

Human resources security

Human resources security

Information system operation and

security management

Information system operation and

security management

Security inspectionSecurity inspectionPrivacy protectionPrivacy protection

Asset classification / control

Asset classification / control

Information systems acquisition, and development

security

Information systems acquisition, and development

security

Account privilege security

management

Account privilege security

management

Management and response of

security accident

Management and response of

security accident

Physical securityPhysical securityLife securityLife security

The information security policy is the most important part of the information security framework. The policy includes five areas, discussed below.


a. Plan and Organization: This area includes security of organization and operation, and asset classification and control.

Security organization and operation covers the —

• Organization and system of the national information security organization• Procedure of each information security organization• Constitution and management of the nation’s information security• Cooperation with the relevant international agency• Cooperation with an expert group

Asset classification and control includes —

• Ownership grant and classification standard for important information assets• Registration instruction and risk assessment of important information assets• Management of access privileges over important information assets• Publication and export of important information assets• Important information assets revaluation and exhaustion• Security management of documents

b. Acquisition and Implementation: This area includes human resources security, and information systems acquisition and development security.

Human resources security involves defining a management method for hiring new employees that includes —

• Human resources security countermeasure and security training• Processing of breach of security regulation and the law• Security management of third party access• Security management of access of outsourcing personnel• Work and management of third parties and outsourcing employees• Security management of computer room and equipment• Access to main facilities and buildings• Processing of security accidents

Information systems acquisition and development security requires —

• Security checks when an information system is acquired• Security management for in-house and outsourcing of application programs• A national encryption system (encrypt program and key, and so on)• Tests after program development• Suggested security requirements when outsourcing development• Security verification with development and acquisition

c. Privacy Protection: The inclusion of privacy protection in an information security policy is not mandatory. However, including it is an advantage because privacy protection is an international issue. Privacy protection provisions should cover the following —

• Personal information collection and use• Prior consent when taking advantage of people’s privacy• PIA


d. Operation and Support: This area has to do with physical and technical security. Use of the network and system is regulated in detail, and the physical security of the information and communication infrastructure is defined.

Information system operation and security management involves defining the following —

• Operation and security management of the server, network, application and database• Development of the information security system• Log and back-up against legal action• Information storage management• Mobile computing• Standard for custody and security of computer data• Electronic commerce services

Account privilege security management – Access control and account management have to be defined to guarantee confidentiality in the use of the nation’s information depository. This includes —

• Registration, deletion, privilege management of users of the national information system • Account and privilege management of encrypted networking

Physical security – Physical security refers to protecting information and communication facilities that keep important information. It includes —

• Configuring and managing security area methods• Access and transport control for the computer centre• Prevention of damage from natural and other disasters

e. Monitoring and Assessment: This area of information security policy requires the formulation of standards and processes for preventing security incidents and managing and responding to security incidents.

Security inspection includes —

• Establishing a security inspection plan• Implementing periodic security inspection• Formulating/Organizing report forms • Identifying the subject of security inspections and report targets

Management of and response to security incident requires defining —

• The work and role of each organization in processing security incidents • Procedures for observing and recognizing symptoms of security incidents• Security incident processing procedure and response method• Measures to be undertaken after security incident processing

4. Instituting and/or revising laws to be consistent with the information security policy

Laws must be consistent with the information security policy. There should be laws governing State organizations and private enterprise. Tables 14 to 16 list laws related to information security in Japan, the EU and the US, respectively. In Japan, the representative IT law is the Basic Act on the Formation of an Advanced Information and Telecommunications Network


Society. This law is the fundamental standard for information security in the country and all related laws need to conform to it.

table14.InformationsecurityrelatedlawsinJapan

Laws Target industry Target of regulation Penalty

Unauthorized Computer Access Law

All industry

Action that promotes unauthorized access and supplies another person’s ID information without notice

Act on the Protection of Personal Information

Private enterprises that use private information for business purposes

Privacy information (address, phone number, e-mail, and so on) management

Criminal liability, fine

Act on Electronic Signatures and Certification

Facilitation of electronic commerce that takes advantage of the Internet and economic activity through networks

table15.Informationsecurityrelatedlawsintheeu

Laws Details

A Common Regulatory Framework (Directive 2002/21/EC)

• Presents the framework for regulating telecommunication networks and services

• Aims to protect privacy through secure communication networks

EU Directive on Data Protection (Directive 1995/46/EC)

• Guideline on processing and free removal of private information

• Fundamental law defining member nations’ responsibility and recognizing the ultimate authority of individuals over private information

• More stringent than the US standardEU Directive on Electronic Signatures(Directive 1999/93/EC)

EU Directive on Electronic Commerce(Directive 2000/31/EC)

• Governs use of electronic signatures• Regulates the conduct of electronic commerce

Cybercrime Treaty

• Most comprehensive international treaty about cybercrime

• Defines in detail all criminal acts that use the Internet and their corresponding penalties

Data Preservation Guideline on Communication and Networks

• Requires communication service providers to preserve call data from six months to 24 months (promulgated following the terrorist attacks in Madrid and London in 2004 and 2005, respectively)


table16.InformationsecurityrelatedlawsintheuSa

Laws Target industry Target of regulation Penalty

Federal Information Security Management Act of 2002

Federal administrative agencies

Information of administrative agencies, IT system, information security programme

-

Health Insurance Privacy and Accountability Act of 1996

Medical institutions and medical service providers

Electronic data of personal medical information


Gramm-Leach-Bliley Act of 1999 Financial institutions Privacy information

of customers Criminal liability, fine

Sarbanes-Oxley Act of 2002

Listed companies on The US Stock Exchange

Internal control and public financial record


California Database Security Breach Information Act of 2003

Administrative agencies and private enterprise in California

Encrypted privacy information

Fine and notification to victim

5. Allocating a budget for information policy implementation

Implementation of a policy requires a budget. Table 17 shows the budget for information security in Japan and the US in recent years.

table17.InformationsecuritybudgetofJapananduSa

(Units: Japan – hundred million yen; USA – million dollars) Japan 2005 2006 2007 2008 2009

Total annual IT budget 13 016 13 115 12 484 13 580 -

Information security budget 288 319 300 338 -

Percentage of total IT budget 2.21 2.43 2.40 2.49 -

USA 2005 2006 2007 2008 2009Total annual IT budget 66 215 66 215 64 911 68 314 70 914

Information security budget 3 411 5 512 5 905 6 631 7 278

Percentage of total IT budget 5.15 8.32 9.10 9.71 10.26

Sources: OMB for US figures; and the Japanese Ministry of Internal Affairs and Communications for Japan figures.


Something To Do

If your country has an information security policy, trace its development in terms of the five aspects of information security policy formulation described above. That is, describe the:

1. Policy direction

2. Information security organization

3. Policy framework

4. Laws supporting information security policy

5. Budgetary allocation for information security

If your country does not yet have an information security policy, outline some possibilities for each of the five aspects above towards the formulation of the policy. Use the following questions as a guide:

1. What should be the direction of information security policy in your country?

2. What organizational set-up should be in place? Which organizations should be involved in information security policy development and implementation in your country?

3. What specific issues should the policy framework address?

4. What laws should be enacted and/or repealed in support of the information policy?

5. What budgetary considerations should be taken into account? Where should the budget be drawn from?

Training participants from the same country can do this activity together.

7.3 Policy Execution / Implementation

The smooth implementation of information security policy requires cooperation among government, private and international agents. Figure 27 shows specific areas of information policy implementation where cooperation is crucial.


figure27.areasforcooperationininformationsecuritypolicyimplementation

Information security policy development Table 18 presents how the government, private sector and international organizations can contribute to national information security policy development.

table18.cooperationininformationsecuritypolicydevelopment(example)

Sector Contributions to Policy Development

Government

• National strategy and planning organization: ensure match between information policy and the national plan

• ICT organization: ensure the cooperation of the nation’s information security technology standard establishment

• Information security trend analysis organization: reflect domestic and international security trend and analysis in policy

• Legal analysis organization: check match between information security policy and existing laws

• National information organization: cooperate in direction setting and strategy establishment

• Investigative agencies: cooperate in the processing of security accidents

Private sector

• Information security consulting companies: use of professional agents in information security policymaking

• Private information security technology laboratory: establish technology standards related to information security

• Information security department of universities and/or graduate schools: provide expertise in policy formulation

International organizations

• Ensure compliance with international policy standards• Coordinate the response to international threats and accidents


Information and communication infrastructure management and protection

Effective use (collection, custody, etc.) of information requires the proper administration and protection of the IT infrastructure. A good information security policy is useless in the absence of a sound IT infrastructure.

The effective management and protection of information and communication infrastructure requires cooperation among the network, system and IT area managers. It also benefits from cooperation between public and private institutions (see table 19).

table19.cooperationinadministrationandprotectionofinformationandcommunicationinfrastructure(example)

Sector Contributions to Administration and Protection of Information and Communication Infrastructure

Government sector

• Information and communication network related organization: define composition and level of security of the national information and communication network

• ICT laboratory: distribute public standards and adopt usable technology

Private sector

• ISP: cooperate in the composition of the national information and communication network

• ICT laboratory: provide technical development services and cooperate in the operation of a stable information and communication infrastructure and security technology


• Cooperate with the international technology standard organization for international information and communication, and for securing new IT

Prevention of and response to threats and incidents

Responding effectively to threats and information security violations requires cooperation among the national information organization, investigative agencies and legal institutions, as well as organizations that conduct security accident inspection and damage estimation. It is also essential to cooperate with organization that can analyse technical vulnerabilities and prescribe technical countermeasures.

Table 20. Cooperation in information security accident response (example)

Sector Contributions

Government organizations

• Security incident response organization: provide situational analysis, hacking incident response, and technology to respond to violations and accidents

• National information organization: analyse and inspect information security related violations and accidents

• Investigative agencies: cooperate with the organization involved in apprehending and prosecuting offenders

• Organization providing security evaluation: verify the safety and reliability of information network and information security based production

• Information security education organization: analyse the causes of information security accidents and educate people to prevent the recurrence of accidents


Sector Contributions

Private groups

• Private incident response organization: provide response and technical support

• Private investigative agencies: cooperate with national investigative agencies


• In cases of international threats and incidents, report to and cooperate with Interpol, CERT/CC

Prevention of information security incidents

Preventing information security violations and accidents includes monitoring, education and change management. The national CSIRT is the main monitoring organization. A critical area is matching information policy and real monitoring data. Thus, it is necessary to discuss the scope of information policy monitoring. Moreover, it is important to educate government and private sector employees, as well as the general public, about information security policy. It may be necessary to change certain attitudes towards information and behaviours that impact on security information. Information security education and change management are defined in the US SP 800-16 (Information Technology Security Training Requirements).

table21.cooperationininformationsecurityviolationandaccidentprevention(example)

Sector Coordination

Government organizations

• Monitoring agent: continuous monitoring of the network and advanced detection of security threats

• Collecting agent: information sharing with international organizations and security sites

• Training institute: periodic simulation training to develop the ability and capacity to respond quickly to information security violations and accidents

Private organizations

• ISP, security control and anti-virus company: provide traffic statistics, information on attack type and profile of worms/viruses


• Provide information on the attack type, profile of worms/viruses, and the like

Privacy security

Cooperation is needed to establish Internet privacy protection measures, private locational information incident prevention, protection of private biological information and reporting of violations of privacy.

table22.coordinationinprivacyprotection(example)

Sector Coordination

Government agencies

• System analysis organization: conduct business related to private locational information, and analysis of trends in internal and external personal information protection

• Planning organization: improve laws/systems, technical/ administrative measures and standards management

• Technical support: coordinate cyberuser certification for businesses• Service organizations: coordinate support for troubleshooting privacy

violations and spam


Sector Coordination

Private organizations

• Personal information security organization: register requirements and organize cooperative associations for personal information security

• Personal information security consultingInternational organizations

• Cooperate to apply international personal information security standards

International coordination

Information security cannot be achieved through the efforts of one country alone because information security violations tend to be international in scope. Thus, international coordination in information security protection, both in government and in the private sector, must be institutionalized.

For the private sector, the relevant international organization for the promotion and protection of information security is CERT/CC. Among governments, ENISA (for the EU) and the ITU aim to foster cooperation in information security among countries.

In each country there must be a government institution whose role is to facilitate cooperation by both government and private organizations with international agencies and institutions.

Something To Do

1. Identify the government agencies and private organizations in your country that would need to collaborate and cooperate in the implementation of a national information security policy. Identify as well the international organizations that they need to coordinate with.

2. For each area of cooperation in information policy implementation shown in figure 27, specify specific actions or activities that these agencies and organizations can undertake.

Training participants from the same country can do this activity together.

7.4 Review and Evaluation of Information Security Policy

The final step in information security policymaking is evaluating policy and supplementing underdeveloped areas. Policy revision is essential after the efficiency of an information security policy has been determined.

A domestic policy evaluation method can be implemented to determine the efficiency of the national information security policy. Aspects of this method are discussed below.


Use of audit organizations

There are organizations whose role is to conduct appraisals and evaluation of policy. Such an organization should conduct regular audits of the national information security policy. Moreover, this organization should be independent of the information security policymaking organization and the implementing organization.

Revising information security policy

Problem areas are usually identified during the policy audit. There should be a process for revising the policy to address these problem areas.

Changes in the environment

It is important to react sensitively to changes in the policy environment. Changes arising from international threats (attacks) and vulnerabilities, changes in the IT infrastructure, grade changes of critical information, and other such important changes should be immediately reflected in the national information security policy.


Further Reading

Butt, Danny, ed. 2005. Internet Governance: Asia-Pacific Perspectives. Bangkok: UNDP-APDIP. http://www.apdip.net/publications/ict4d/igovperspectives.pdf.

CERT. CSIRT FAQ. Carnegie Mellon University. http://www.cert.org/csirts/csirt_faq.html.

__________Security of the Internet. Carnegie Mellon University. http://www.cert.org/encyc_article/tocencyc.html.

Dorey, Paul, and Simon Perry, eds. The PSG Vision for ENISA. Permanent Stakeholders Group, 2006. http://www.enisa.europa.eu/about-enisa/structure-organization/psg/files/psg-vision.

ESCAP. 2007. Module 3: Cyber Crime and Security. In An Introductory Set of Training Modules for Policymakers. Bangkok: United Nations. http://www.unescap.org/idd/pubs/internet-use-for-business-development.pdf.

Europa. Strategy for a secure information society (2006 communication). European Commission. http://europa.eu/legislation_summaries/information_society/internet/l24153a_en.htm.

Information and Privacy Office. Privacy Impact Assessment: A User’s Guide. Ontario: Management Board Secretariat, 2001.

Information Security Policy Council. The First National Strategy on Information Security. 2 February 2006. http://www.nisc.go.jp/eng/pdf/national_strategy_001_eng.pdf.

ISO. ISO/IEC27001:2005. http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=42103.

ITU, and UNCTAD. Challenges to building a safe and secure Information Society. In World Information Society Report 2007, 82-101. Geneva: ITU, 2007. http://www.itu.int/osg/spu/publications/worldinformationsociety/2007/report.html.

ITU-D Applications and Cybersecurity Division. ITU National Cybersecurity / CIIP Self-Assessment Tool. ITU. http://www.itu.int/ITU-D/cyb/cybersecurity/projects/readiness.html.

Killcrece, Georgia. Steps for Creating National CSIRTs. Pittsburgh: Carnegie Mellon University, 2004. http://www.cert.org/archive/pdf/NationalCSIRTs.pdf.

Killcrece, Georgia, Klaus-Peter Kossakowski, Robin Ruefle, and Mark Zajicek. Organizational Models for Computer Security Incident Response Teams (CSIRTs). Pittsburgh: Carnegie Mellon University, 2003. http://www.cert.org/archive/pdf/03hb001.pdf.

OECD. OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security. Paris: OECD, 2002. http://www.oecd.org/dataoecd/16/22/15582260.pdf.

__________OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html.

Shimeall, Tim and Phil Williams. Models of Information Security Trend Analysis. Pittsburgh: CERT Analysis Center, 2002. http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.11.8034.

The White House. The National Strategy to Secure Cyberspace. Washington, D.C.: The White House, 2003. http://www.us-cert.gov/reading_room/cyberspace_strategy.pdf.


Notes for Trainers

As noted in the section entitled “About The Module Series”, this module and others in the series are designed to have value for different sets of audiences and in varied and changing national conditions. The modules are also designed to be presented, in whole or in part, in different modes, on- and off-line. The modules may be studied by individuals and by groups in training institutions as well as within government offices. The background of the participants as well as the duration of the training sessions will determine the extent of detail in the presentation of content.

These “Notes” offer trainers some ideas and suggestions for presenting the module content more effectively. Further guidance on training approaches and strategies is provided in a handbook on instructional design developed as a companion material for the Academy of ICT Essentials for Government Leaders module series. The handbook is available at: http://www.unapcict.org/academy.

Structuring the Sessions

For a 90-minute session

Provide an overview of basic concepts and international standards or principles of information security and privacy protection (sections 1 and 5 of the module). Stress the need for appropriate and effective information security and privacy protection policy.

For a three-hour session

Divide the session into two parts. In the first part, focus on basic concepts and trends in information security, including a description of information security threat trend analysis (section 2). In the second part, focus on basic concepts and principles of privacy protection, facilitate a discussion of issues that impact on privacy protection, and briefly describe privacy impact assessment.

For a full-day session (six hours)

After an overview of the key concepts and principles of information security and privacy protection, focus on information security policy development and implementation (section 7). You might begin by asking participants about the policy implications of the principles of information security and privacy protection. Then briefly present the life cycle of information security policy before focusing on the policy formulation process. Participants from countries with an information security policy might be asked to assess this policy in terms of the principles and process discussed, while those from countries without an information security policy might be asked to outline some aspects of such a policy (see the learning activity at the end of section 7.2).

For a two-day session

The first day may be conducted as described above, while the second day can focus on information security activities and methodology (sections 3 and 4), particularly the establishment of CSIRTs (section 6). The examples from other countries can be dissected, and participants should be encouraged to determine the most appropriate CSIRT model and to design specific security intervention mechanisms for their own national context.


Interactivity

It is important to have audience interactivity and practical exercises. The module provides a lot of useful information but training participants need to be able to critically analyse this information and apply it where it would be useful to do so. Some case studies are provided in the module and, whenever possible, these should be discussed in terms of information security concepts and principles. But participants should also be encouraged to explore authentic issues and problems in information security and privacy protection from their own context.


About the Author

The Korea Internet & Security Agency (KISA) was established in 2009, integrating three ICT-related organizations—the Korea Information Security Agency (KISA), the National Internet Development Agency (NIDA) and the Korean IT International Cooperation Agency (KIICA). It has the functions for Internet security, promotion and cooperation.

In the area of Internet security, KISA focuses on: (1) creating a safe Internet environment; (2) protecting the citizens’ personal information; (3) providing guidance on Internet and information security; (4) protecting critical information infrastructure; (5) strengthening security of e-government services; and (6) protecting public information.

In promoting the Internet, KISA’s efforts include the provision of a sustainable Internet environment, activation of national domains, and creation of a beautiful Internet world.

For Internet cooperation, KISA focuses on: (1) creating a new value through the convergence of broadcasting and communications; (2) supporting international cooperation in raising the prestige of Korean broadcasting and communications; (3) supporting overseas expansion of broadcasting and communications technology services and contents; and (4) providing global market information and reinforcing overseas promotion of broadcasting and communications technology services and contents.

http://www.kisa.or.kr


uN-aPcIct/eScaPThe United Nations Asian and Pacific Training Centre for Information and Communication Technology for Development (UN-APCICT/ESCAP) is a subsidiary body of the United Nations Economic and Social Commission for Asia and the Pacific (ESCAP). UN-APCICT/ESCAP aims to strengthen the efforts of the member countries of ESCAP to use ICT in their socio-economic development through human and institutional capacity-building. UN-APCICT/ESCAP’s work is focused on three pillars:

1. Training. To enhance the ICT knowledge and skills of policymakers and ICT professionals, and strengthen the capacity of ICT trainers and ICT training institutions;

2. Research. To undertake analytical studies related to human resource development in ICT; and3. Advisory. To provide advisory services on human resource development programmes to

ESCAP member and associate members.

UN-APCICT/ESCAP is located at Incheon, Republic of Korea.

http://www.unapcict.org

eScaP

ESCAP is the regional development arm of the United Nations and serves as the main economic and social development centre for the United Nations in Asia and the Pacific. Its mandate is to foster cooperation between its 53 members and nine associate members. ESCAP provides the strategic link between global and country-level programmes and issues. It supports governments of countries in the region in consolidating regional positions and advocates regional approaches to meeting the region’s unique socio-economic challenges in a globalizing world. The ESCAP office is located at Bangkok, Thailand.

http://www.unescap.org


The Academy of ICT Essentials for Government Leadershttp://www.unapcict.org/academy

The Academy is a comprehensive ICT for development training curriculum with currently ten modules that aims to equip policymakers with the essential knowledge and skills to fully leverage opportunities presented by ICTs to achieve national development goals and bridge the digital divide. Below are the short descriptions of the ten modules of the Academy.

Module 1 - The Linkage between ICT Applications and Meaningful DevelopmentHighlights key issues and decision points, from policy to implementation, in the use of ICTs for achieving the MDGs.

Module 2 - ICT for Development Policy, Process and GovernanceFocuses on ICTD policymaking and governance, and provides critical information about aspects of national policies, strategies and frameworks that promote ICTD.

Module 3 - e-Government ApplicationsExamines e-government concepts, principles and types of applications. It also discusses how an e-government system is built and identifies design considerations.

Module 4 - ICT Trends for Government LeadersProvides insights into current trends in ICT and its future directions. It also looks at key technical and policy considerations when making decisions for ICTD.

Module 5 - Internet GovernanceDiscusses the ongoing development of international policies and procedures that govern the use and operation of the Internet.

Module 6 - Information Security and PrivacyPresents information on security issues and trends, and the process of formulating an information security strategy.

Module 7 - ICT Project Management in Theory and PracticeIntroduces project management concepts that are relevant to ICTD projects, including the methods, processes and project management disciplines commonly used.

Module 8 - Options for Funding ICT for DevelopmentExplores funding options for ICTD and e-government projects. Public-private partnerships are highlighted as a particularly useful funding option in developing countries.

Module 9 - ICT for Disaster Risk ManagementProvides an overview of disaster risk management and its information needs while identifying the technology available to reduce disaster risks and respond to disasters.

Module 10 - ICT and Climate ChangePresents the role that ICTs play in observing and monitoring the environment, sharing information, mobilizing action, promoting environmental sustainability and abating climate change.

These modules are being customized with local case studies by national Academy partners to ensure that the modules are relevant and meet the needs of policymakers in different countries. The modules are also been translated into different languages. To ensure that the programme stays relevant and addresses emerging trends in the ICTD, APCICT regularly revises the modules and develops new modules.


APCICT Virtual Academy (http://e-learning.unapcict.org)

The APCICT Virtual Academy is part of the multi-channel delivery mechanism that APCICT employs in the implementation of its flagship ICTD capacity building programme, the Academy of ICT Essentials for Government Leaders.

The APCICT Virtual Academy allows learners to access online courses designed to enhance their knowledge in a number of key areas of ICTD including utilizing the potential of ICTs for reaching out to remote communities, increasing access to information, improving delivery of services, promoting lifelong learning, and ultimately, bridging the digital divide and achieving the MDGs.

All APCICT Virtual Academy courses are characterized by easy-to-follow virtual lectures and quizzes, and users are rewarded with APCICT’s certificate of participation upon successful completion of the courses. All Academy modules in English and localized versions in Bahasa and Russian are available via the Internet. In addition, plans for more content development and further localization are underway.

e-Collaborative Hub (http://www.unapcict.org/ecohub)

The e-Collaborative Hub (e-Co Hub) is APCICT’s dedicated online platform for knowledge sharing on ICTD. It aims to enhance the learning and training experience by providing easy access to relevant resources, and by making available an interactive space for sharing best practices and lessons on ICTD. e-Co Hub provides:

• A resources portal and knowledge sharing network for ICTD• Easy access to resources by module• Opportunities to engage in online discussions and become part of the e-Co Hub’s online

community of practice that serves to share and expand the knowledge base of the community of practice that serves to share and expand the knowledge base of ICTD

Documents

Academy Module6 Web